cicy-desktop 2.1.78 → 2.1.79

package/src/profiles/profile-store.js

@@ -0,0 +1,321 @@
+// profile-store.js — the shared "browser profile" standard across both backends.
+//
+// One profile = one backend (Chrome OR Electron); the two keep their own store
+// files and their own cookie engines, but expose an IDENTICAL core schema and
+// the same operations (list / proxy / logins). This module is the single source
+// of truth for that core — both src/tools/chrome-tools.js and
+// src/tools/account-tools.js (and window-utils proxy auto-apply) route through
+// it so the field names and semantics never drift.
+//
+// Stores (unchanged locations):
+//   chrome   → ~/cicy-ai/db/chrome.json        keyed "profile_<N>"
+//   electron → ~/data/electron/account-<N>.json
+//
+// Core fields (identical names in BOTH files, added lazily; missing = default):
+//   name    : string
+//   proxy   : { url, enabled }        ← persisted desired proxy (normalized)
+//   logins  : [ { platform, account, addedAt } ]   ← one entry per platform
+//   note    : string
+//   createdAt / updatedAt : ISO
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+
+const CHROME_JSON = path.join(os.homedir(), "cicy-ai", "db", "chrome.json");
+const ELECTRON_DIR = path.join(os.homedir(), "data", "electron");
+
+// ── proxy: the ONE normalizer ────────────────────────────────────────────────
+// Accepts every historical encoding and returns the canonical {url, enabled}:
+//   ""/null/undefined        → { url:"",  enabled:false }
+//   "socks5://…" (string)    → { url:s,   enabled:!!s }   (legacy chrome)
+//   { enable, url }          → { url,     enabled:!!enable } (legacy chrome obj)
+//   { enabled, url }         → { url,     enabled:!!enabled } (canonical)
+function normalizeProxy(raw) {
+  if (raw == null || raw === "") return { url: "", enabled: false };
+  if (typeof raw === "string") return { url: raw, enabled: !!raw };
+  if (typeof raw === "object") {
+    const url = typeof raw.url === "string" ? raw.url : "";
+    const enabled = ("enabled" in raw ? !!raw.enabled : !!raw.enable) && !!url;
+    return { url, enabled };
+  }
+  return { url: "", enabled: false };
+}
+
+// proxyRules(p) → the string for Electron session.setProxy / Chromium --proxy-server
+// (empty string = direct/no proxy).
+function proxyRules(proxyLike) {
+  const p = normalizeProxy(proxyLike);
+  return p.enabled && p.url ? p.url : "";
+}
+
+// ── logins: shared mutation (one entry per platform, keyed case-insensitively) ─
+function upsertLogin(logins, platform, account) {
+  const list = Array.isArray(logins) ? logins.slice() : [];
+  const key = String(platform || "").trim().toLowerCase();
+  if (!key) return list;
+  const next = list.filter((l) => String(l.platform || "").toLowerCase() !== key);
+  next.push({ platform: key, account: String(account || "").trim(), addedAt: new Date().toISOString() });
+  return next;
+}
+
+function removeLoginFrom(logins, platform) {
+  const list = Array.isArray(logins) ? logins : [];
+  const key = String(platform || "").trim().toLowerCase();
+  return list.filter((l) => String(l.platform || "").toLowerCase() !== key);
+}
+
+// ── rich login record (unified across chrome + electron) ─────────────────────
+// One entry per site, keyed by `name` (platform/site name) case-insensitively.
+// Legacy thin entries {platform, account, addedAt} are mapped forward so old
+// data keeps working: platform→name, account→username, addedAt→loginAt.
+const LOGIN_FIELDS = ["url", "name", "username", "email", "mobile", "twofa", "secondEmail", "note", "loginAt", "updatedAt"];
+
+function normalizeLogin(raw) {
+  const r = raw && typeof raw === "object" ? raw : {};
+  const s = (v, alt = "") => (typeof v === "string" ? v : alt);
+  return {
+    url: s(r.url),
+    name: s(r.name, s(r.platform)),
+    username: s(r.username, s(r.account)),
+    email: s(r.email),
+    mobile: s(r.mobile),
+    twofa: s(r.twofa, s(r.totp)),
+    secondEmail: s(r.secondEmail),
+    note: s(r.note),
+    loginAt: s(r.loginAt, s(r.addedAt)),
+    updatedAt: s(r.updatedAt),
+  };
+}
+
+function loginKey(l) {
+  return String((l && (l.name || l.url)) || "").trim().toLowerCase();
+}
+
+// Upsert by site key; only NON-EMPTY incoming fields overwrite existing ones
+// (so a partial patch never wipes data). Stamps loginAt (first seen) + updatedAt.
+function upsertLoginRich(logins, login) {
+  const list = (Array.isArray(logins) ? logins : []).map(normalizeLogin);
+  const inc = normalizeLogin(login);
+  const key = loginKey(inc);
+  if (!key) return list;
+  const now = new Date().toISOString();
+  const i = list.findIndex((l) => loginKey(l) === key);
+  if (i >= 0) {
+    const merged = { ...list[i] };
+    for (const k of LOGIN_FIELDS) if (inc[k]) merged[k] = inc[k];
+    merged.loginAt = merged.loginAt || now;
+    merged.updatedAt = now;
+    list[i] = merged;
+  } else {
+    inc.loginAt = inc.loginAt || now;
+    inc.updatedAt = now;
+    list.push(inc);
+  }
+  return list;
+}
+
+function removeLoginRich(logins, key) {
+  const k = String(key || "").trim().toLowerCase();
+  return (Array.isArray(logins) ? logins : []).map(normalizeLogin).filter((l) => loginKey(l) !== k);
+}
+
+// ── ipInfo: per-profile egress IP + geo area + last-probed time ──────────────
+function normalizeIpInfo(raw) {
+  const r = raw && typeof raw === "object" ? raw : {};
+  return {
+    ip: typeof r.ip === "string" ? r.ip : "",
+    area: typeof r.area === "string" ? r.area : "",
+    probedAt: typeof r.probedAt === "string" ? r.probedAt : "",
+  };
+}
+
+// ── chrome backend (chrome.json, key profile_<N>) ────────────────────────────
+function readChromeConfig() {
+  if (!fs.existsSync(CHROME_JSON)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(CHROME_JSON, "utf-8")) || {};
+  } catch {
+    return {};
+  }
+}
+
+function writeChromeConfig(next) {
+  fs.mkdirSync(path.dirname(CHROME_JSON), { recursive: true });
+  fs.writeFileSync(CHROME_JSON, JSON.stringify(next || {}, null, 2), { mode: 0o600 });
+  try {
+    fs.chmodSync(CHROME_JSON, 0o600);
+  } catch {}
+}
+
+function chromeView(idx, entry) {
+  const e = entry && typeof entry === "object" ? entry : {};
+  return {
+    id: `chrome-${idx}`,
+    backend: "chrome",
+    accountIdx: idx,
+    name: typeof e.name === "string" && e.name ? e.name : `profile_${idx}`,
+    proxy: normalizeProxy(e.proxy),
+    logins: (Array.isArray(e.logins) ? e.logins : []).map(normalizeLogin),
+    note: typeof e.note === "string" ? e.note : "",
+    // chrome-specific extras (read-only passthrough)
+    gmail: typeof e.gmail === "string" ? e.gmail : "",
+    port: typeof e.port === "number" ? e.port : 11000 + idx,
+    rpaDir: typeof e.rpaDir === "string" ? e.rpaDir : `~/chrome/profile_${idx}`,
+    platform: e.platform && typeof e.platform === "object" ? e.platform : {},
+    ipInfo: normalizeIpInfo(e.ipInfo),
+  };
+}
+
+function chromeIndices() {
+  const data = readChromeConfig();
+  return Object.keys(data)
+    .map((k) => (/^profile_(\d+)$/.exec(k) ? Number(/^profile_(\d+)$/.exec(k)[1]) : null))
+    .filter((n) => typeof n === "number")
+    .sort((a, b) => a - b);
+}
+
+function mutateChrome(idx, fn) {
+  const data = readChromeConfig();
+  const key = `profile_${idx}`;
+  if (!data[key]) throw new Error(`Missing chrome.json entry: ${key}`);
+  data[key] = fn({ ...data[key] }) || data[key];
+  data[key].updatedAt = new Date().toISOString();
+  writeChromeConfig(data);
+  return chromeView(idx, data[key]);
+}
+
+// ── electron backend (account-<N>.json) ──────────────────────────────────────
+function electronFile(idx) {
+  return path.join(ELECTRON_DIR, `account-${idx}.json`);
+}
+
+function readAccount(idx) {
+  const f = electronFile(idx);
+  if (!fs.existsSync(f)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(f, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+
+function writeAccount(data) {
+  fs.mkdirSync(ELECTRON_DIR, { recursive: true });
+  fs.writeFileSync(electronFile(data.accountIdx), JSON.stringify(data, null, 2));
+}
+
+function electronView(idx, data) {
+  const d = data && typeof data === "object" ? data : { accountIdx: idx };
+  const meta = d.metadata && typeof d.metadata === "object" ? d.metadata : {};
+  return {
+    id: `electron-${idx}`,
+    backend: "electron",
+    accountIdx: idx,
+    name: typeof meta.name === "string" && meta.name ? meta.name : `electron-${idx}`,
+    proxy: normalizeProxy(d.proxy),
+    logins: (Array.isArray(d.logins) ? d.logins : []).map(normalizeLogin),
+    note: typeof d.note === "string" ? d.note : meta.description || "",
+    partition: `persist:sandbox-${idx}`,
+    ipInfo: normalizeIpInfo(d.ipInfo),
+  };
+}
+
+function electronIndices() {
+  if (!fs.existsSync(ELECTRON_DIR)) return [];
+  return fs
+    .readdirSync(ELECTRON_DIR)
+    .map((f) => (/^account-(\d+)\.json$/.exec(f) ? Number(/^account-(\d+)\.json$/.exec(f)[1]) : null))
+    .filter((n) => typeof n === "number")
+    .sort((a, b) => a - b);
+}
+
+function mutateElectron(idx, fn) {
+  let data = readAccount(idx);
+  if (!data) {
+    data = { accountIdx: idx, createdAt: new Date().toISOString(), windows: [], metadata: {} };
+  }
+  data = fn(data) || data;
+  data.updatedAt = new Date().toISOString();
+  writeAccount(data);
+  return electronView(idx, data);
+}
+
+// ── unified surface (backend = "chrome" | "electron") ────────────────────────
+function listProfiles(backend) {
+  if (backend === "chrome") return chromeIndices().map((i) => chromeView(i, readChromeConfig()[`profile_${i}`]));
+  if (backend === "electron") return electronIndices().map((i) => electronView(i, readAccount(i)));
+  throw new Error(`Unknown backend: ${backend}`);
+}
+
+function getProfile(backend, idx) {
+  if (backend === "chrome") {
+    const e = readChromeConfig()[`profile_${idx}`];
+    if (!e) return null;
+    return chromeView(idx, e);
+  }
+  if (backend === "electron") {
+    const d = readAccount(idx);
+    return d ? electronView(idx, d) : null;
+  }
+  throw new Error(`Unknown backend: ${backend}`);
+}
+
+// setProxy persists the desired proxy (canonical {url, enabled}) to the store.
+// Empty/falsey url clears it. Returns the updated unified view.
+function setProxy(backend, idx, url) {
+  const proxy = normalizeProxy(url);
+  if (backend === "chrome") return mutateChrome(idx, (e) => ({ ...e, proxy }));
+  if (backend === "electron") return mutateElectron(idx, (d) => ({ ...d, proxy }));
+  throw new Error(`Unknown backend: ${backend}`);
+}
+
+// setLogin — upsert a rich login record (any subset of LOGIN_FIELDS). Keyed by
+// `name` (site name). Works identically for both backends.
+function setLogin(backend, idx, login) {
+  if (backend === "chrome") return mutateChrome(idx, (e) => ({ ...e, logins: upsertLoginRich(e.logins, login) }));
+  if (backend === "electron") return mutateElectron(idx, (d) => ({ ...d, logins: upsertLoginRich(d.logins, login) }));
+  throw new Error(`Unknown backend: ${backend}`);
+}
+
+// addLogin — back-compat thin form (platform/account); delegates to setLogin.
+function addLogin(backend, idx, platform, account) {
+  return setLogin(backend, idx, { name: platform, username: account });
+}
+
+// setIpInfo — persist a freshly probed egress IP + area, stamping probedAt=now.
+function setIpInfo(backend, idx, info) {
+  const ipInfo = { ...normalizeIpInfo(info), probedAt: new Date().toISOString() };
+  if (backend === "chrome") return mutateChrome(idx, (e) => ({ ...e, ipInfo }));
+  if (backend === "electron") return mutateElectron(idx, (d) => ({ ...d, ipInfo }));
+  throw new Error(`Unknown backend: ${backend}`);
+}
+
+function removeLogin(backend, idx, nameOrUrl) {
+  if (backend === "chrome") return mutateChrome(idx, (e) => ({ ...e, logins: removeLoginRich(e.logins, nameOrUrl) }));
+  if (backend === "electron") return mutateElectron(idx, (d) => ({ ...d, logins: removeLoginRich(d.logins, nameOrUrl) }));
+  throw new Error(`Unknown backend: ${backend}`);
+}
+
+function listLogins(backend, idx) {
+  const p = getProfile(backend, idx);
+  return p ? p.logins : [];
+}
+
+module.exports = {
+  CHROME_JSON,
+  ELECTRON_DIR,
+  normalizeProxy,
+  proxyRules,
+  listProfiles,
+  getProfile,
+  setProxy,
+  setLogin,
+  addLogin,
+  removeLogin,
+  listLogins,
+  normalizeLogin,
+  LOGIN_FIELDS,
+  setIpInfo,
+  normalizeIpInfo,
+};

package/src/profiles/trusted-origins-store.js

@@ -0,0 +1,95 @@
+// Trusted-origins allowlist — the EXACT-hostname set of sites permitted to
+// receive the electronRPC bridge in profile 0 (i.e. allowed to run exec_shell &
+// friends on THIS machine). Persisted at ~/cicy-ai/db/trusted-origins.json as
+// { "origins": ["app.example.com", …] }.
+//
+// This is the ONLY user-controlled source of trust (see window-utils.isTrustedUrl).
+//   • localhost / 127.0.0.1 are always trusted (built-in, non-removable).
+//   • Everything else must be added explicitly here (Chrome-style site settings).
+//   • Adding a team / backend does NOT grant trust — "add a server" must never
+//     implicitly hand a remote origin the ability to run commands locally.
+//   • There is deliberately NO domain-suffix wildcard (a public-upload host like
+//     r2.deepfetch.de5.net under a trusted suffix would otherwise become a trusted
+//     RPC source).
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+let _audit = () => {};
+try { _audit = require("../utils/rpc-audit").audit; } catch {}
+
+const STORE = path.join(os.homedir(), "cicy-ai", "db", "trusted-origins.json");
+const BUILTIN = ["localhost", "127.0.0.1"]; // always trusted, cannot be removed
+
+// Normalize arbitrary user input to a bare hostname:
+//   "https://X.Com/path?q" → "x.com",  "x.com:3000" → "x.com",  "  x.com " → "x.com".
+// Returns "" when nothing usable / invalid.
+function normalizeHost(input) {
+  if (!input || typeof input !== "string") return "";
+  let s = input.trim().toLowerCase();
+  if (!s) return "";
+  if (/^[a-z][a-z0-9+.-]*:\/\//.test(s)) {
+    try { return new URL(s).hostname; } catch { return ""; }
+  }
+  s = s.split("/")[0].split("?")[0].split("#")[0]; // drop path/query/fragment
+  s = s.replace(/:\d+$/, "");                       // drop :port
+  if (!/^[a-z0-9.-]+$/.test(s)) return "";          // basic host charset
+  if (s.startsWith(".") || s.endsWith(".") || s.includes("..")) return "";
+  return s;
+}
+
+function readRaw() {
+  try {
+    if (!fs.existsSync(STORE)) return [];
+    const j = JSON.parse(fs.readFileSync(STORE, "utf-8")) || {};
+    return Array.isArray(j.origins) ? j.origins : [];
+  } catch { return []; }
+}
+
+function writeRaw(origins) {
+  fs.mkdirSync(path.dirname(STORE), { recursive: true });
+  fs.writeFileSync(STORE, JSON.stringify({ origins }, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(STORE, 0o600); } catch {}
+}
+
+// User-managed origins only (normalized, de-duped, built-ins excluded).
+function listUser() {
+  const seen = new Set();
+  const out = [];
+  for (const h of readRaw()) {
+    const n = normalizeHost(h);
+    if (n && !BUILTIN.includes(n) && !seen.has(n)) { seen.add(n); out.push(n); }
+  }
+  return out;
+}
+
+// The full trusted set consumed by isTrustedUrl(): built-ins ∪ user list.
+function listAll() {
+  return [...BUILTIN, ...listUser()];
+}
+
+// UI shape: each row tagged builtin (greyed / non-removable) or user.
+function listForUi() {
+  return [
+    ...BUILTIN.map((host) => ({ host, builtin: true })),
+    ...listUser().map((host) => ({ host, builtin: false })),
+  ];
+}
+
+function add(input) {
+  const host = normalizeHost(input);
+  if (!host) return { ok: false, error: "无效的站点地址" };
+  if (BUILTIN.includes(host)) return { ok: true, origins: listForUi() }; // already trusted
+  const cur = listUser();
+  if (!cur.includes(host)) { writeRaw([...cur, host]); _audit({ kind: "auth", gate: "allowlist", host, decision: "trust-add" }); }
+  return { ok: true, origins: listForUi() };
+}
+
+function remove(input) {
+  const host = normalizeHost(input);
+  if (BUILTIN.includes(host)) return { ok: false, error: "内置站点不可删除" };
+  const cur = listUser();
+  if (cur.includes(host)) { writeRaw(cur.filter((h) => h !== host)); _audit({ kind: "auth", gate: "allowlist", host, decision: "trust-remove" }); }
+  return { ok: true, origins: listForUi() };
+}
+
+module.exports = { STORE, BUILTIN, normalizeHost, listUser, listAll, listForUi, add, remove };

package/src/server/worker-observability-routes.js

@@ -16,7 +16,6 @@ function createWorkerObservabilityRoutes({ getWorkerIdentity, getWorkerSnapshot
       workerId: getWorkerIdentity().workerId,
       ts: Date.now(),
       agents: snapshot.agents.length,
-      artifacts: snapshot.artifacts.length,
     });
   });
 
@@ -30,7 +29,6 @@ function createWorkerObservabilityRoutes({ getWorkerIdentity, getWorkerSnapshot
     const lines = [
       `cicy_worker_up 1`,
       `cicy_worker_agents ${snapshot.agents.length}`,
-      `cicy_worker_artifacts ${snapshot.artifacts.length}`,
       `cicy_worker_capabilities ${snapshot.capabilities.length}`,
       `cicy_worker_memory_rss ${snapshot.resources.memory.rss || 0}`,
       `cicy_worker_uptime ${snapshot.resources.uptime || 0}`,

package/src/sidecar/cicy-code.js

@@ -37,6 +37,9 @@ function probeExisting(port = DEFAULT_PORT, timeoutMs = 500) {
   });
 }
 
+// Running-daemon version lives in ONE place now: require("./version").running().
+// update() below uses it to verify what's actually live after a restart.
+
 let child = null;
 
 // Runtime Bundle v1 (主人指令): prefer the versioned runtime store on EVERY
@@ -139,12 +142,10 @@ async function start({ logPath, port = DEFAULT_PORT, force = false, version = nu
     CICY_CODE_PORT: String(port),
     PORT: String(port),
   };
+  // --helper removed (主人指令): Windows now runs cicy-code in normal mode (full
+  // tmux-based multi-agent via the bundled MSYS2 runtime), same as mac/linux —
+  // no longer the single headless 团队助手.
   const args = [];
-  if (process.platform === "win32") {
-    // Windows runs the single headless 团队助手 (--helper=1) on w-1001 — no tmux
-    // panes, so msys2/tmux are NOT bundled or referenced anymore (主人指令 2026-06-08).
-    args.push("--helper=1");
-  }
   child = spawn(exe, args, { stdio, detached: false, windowsHide: true, env });
   console.log(`[cicy-code-sidecar] spawned ${exe} ${args.join(" ")} pid=${child.pid} port=${port} log=${logPath || "(none)"}`);
 
@@ -160,6 +161,21 @@ async function start({ logPath, port = DEFAULT_PORT, force = false, version = nu
 // [] when lsof is missing or nothing is listening.
 const LSOF_CANDIDATES = ["/usr/sbin/lsof", "/usr/bin/lsof", "lsof"];
 function listPortPids(port) {
+  // Windows has no lsof — find the LISTENING PID on the port via netstat instead.
+  // Needed so stop()/update() can actually kill the old cicy-code.exe holding
+  // :8008 before launching the new version (else the new one can't bind and the
+  // update silently "succeeds" while the OLD version keeps running).
+  if (process.platform === "win32") {
+    try {
+      const out = execFileSync("netstat", ["-ano", "-p", "TCP"], { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] });
+      const pids = new Set();
+      for (const line of out.split(/\r?\n/)) {
+        const m = line.match(/^\s*TCP\s+\S+:(\d+)\s+\S+\s+LISTENING\s+(\d+)/i);
+        if (m && Number(m[1]) === port) pids.add(parseInt(m[2], 10));
+      }
+      return [...pids].filter(n => n > 0);
+    } catch { return []; }
+  }
   for (const bin of LSOF_CANDIDATES) {
     try {
       const out = execFileSync(bin, ["-nP", `-tiTCP:${port}`, "-sTCP:LISTEN"], {
@@ -213,13 +229,17 @@ async function stop({ timeoutMs = 5000, port = DEFAULT_PORT } = {}) {
     if (p.exitCode === null) { try { p.kill("SIGKILL"); } catch {} }
   }
 
-  // 2) Anything STILL on :port we didn't spawn — a detached npx from a prior
-  //    launch, a user-run daemon, a PPID=1 orphan. The homepage 停止/重启 must
-  //    act on the REAL listener; otherwise (no tracked child) it would no-op.
-  //    Docker (win32) owns its own lifecycle, so skip the port-kill there.
-  if (process.platform !== "win32") {
-    await killPortListeners(port, timeoutMs);
+  // 2) Anything STILL on :port we didn't spawn — a detached prior launch, a
+  //    user-run daemon, an orphan. The homepage 停止/重启 + update() must act on
+  //    the REAL listener; otherwise (no tracked child) it would no-op.
+  //    Windows: the old Docker-route skip was WRONG (win is native cicy-code.exe
+  //    now) — it left the old daemon alive so update() couldn't replace the exe
+  //    (new binary on disk, but the OLD version kept running on :port → "更新完成"
+  //    yet still old). Hard-kill cicy-code.exe by image name + free the port.
+  if (process.platform === "win32") {
+    try { execFileSync("taskkill", ["/F", "/IM", "cicy-code.exe"], { stdio: "ignore" }); } catch {}
   }
+  await killPortListeners(port, timeoutMs);
 }
 
 // Remove npx's cached cicy-code installs so the next spawn re-fetches from the
@@ -256,35 +276,76 @@ async function restart({ logPath, port = DEFAULT_PORT } = {}) {
 // the latest per-platform subpackage into ~/.local/bin as a NEW version-named
 // binary, re-point cicy-code at it (re-copy on Windows), then stop + start from
 // that stable path and health-verify.
+let _updating = false;
+function isUpdating() { return _updating; }
+
 async function update({ logPath, port = DEFAULT_PORT, emit } = {}) {
   const e = emit || (() => {});
   const localbin = require("./localbin");
+  // Suspend the health watchdog for the duration: update() stops cicy-code, then
+  // downloads (~30s) before starting the new one — during that gap the watchdog
+  // would see the daemon "unreachable" and RESPAWN the OLD binary, racing the
+  // swap (holding the port / locking the .exe) so the new version never takes.
+  // main.js's watchdog tick checks isUpdating() and skips while this is true.
+  _updating = true;
   try {
+    // 主人令:更新 = 杀干净 cicy-code.exe → 起 cicy-code.exe → 探活 → 拿运行中真实
+    // version → 再判定"已是最新"。绝不凭磁盘 manifest 直接喊"已是最新"——manifest
+    // 可能比运行中的进程超前,甚至 daemon 根本没起。唯一可信的是运行中 /api/health
+    // 报的版本。所以这个流程对"已是最新"和"要升级"两种情况一视同仁:总是重启 + 验证。
     e({ phase: "download", status: "running", message: "检查最新版本…" });
-    const cur = localbin.currentVersion();
     const latest = await localbin.latestVersion();
     if (!latest) throw new Error("无法获取最新版本号");
-    if (cur && localbin.cmpVer(latest, cur) <= 0) {
-      // Already current — no download, no restart (不重复下载/更新).
-      e({ phase: "done", status: "done", message: `已是最新 ${cur}` });
-      return null;
-    }
-    await localbin.fetchToLocalBin(latest, { emit }); // download → ~/.local/bin → re-link
-    e({ phase: "swap", status: "running", message: `切换到 ${latest}，启动…` });
+    const cur = localbin.currentVersion();              // 磁盘 manifest:只用来决定要不要下载
+    const needDownload = !cur || localbin.cmpVer(latest, cur) > 0;
+
+    // 1) 杀干净
+    e({ phase: "swap", status: "running", message: "停止 cicy-code…" });
     await stop({ port });
-    await new Promise(r => setTimeout(r, 300));
+    await new Promise(r => setTimeout(r, 400));
+
+    // 2) 落后才下载(此时 cicy-code.exe 已死,Windows 也能覆盖)
+    if (needDownload) {
+      e({ phase: "download", status: "running", message: `下载 ${latest}…` });
+      await localbin.fetchToLocalBin(latest, { emit });
+    }
+
+    // 3) 起
+    e({ phase: "swap", status: "running", message: "启动 cicy-code…" });
     const c = await start({ logPath, port, force: true });
+
+    // 4) 探活:等 TCP 监听起来
+    let up = false;
     for (let i = 0; i < 120; i++) {
-      if (await probeExisting(port)) { e({ phase: "done", status: "done", message: `已更新到 ${latest}` }); return c; }
+      if (await probeExisting(port)) { up = true; break; }
       await new Promise(r => setTimeout(r, 500));
     }
-    e({ phase: "done", status: "error", message: "新版本未在 60s 内就绪" });
+    if (!up) { e({ phase: "done", status: "error", message: "cicy-code 未在 60s 内启动" }); return c; }
+
+    // 5) 拿运行中真实 version(唯一来源 version.running();可能略慢于 TCP,重试几次)
+    const version = require("./version");
+    let running = "";
+    for (let i = 0; i < 20 && !running; i++) {
+      running = await version.running(port);
+      if (!running) await new Promise(r => setTimeout(r, 500));
+    }
+
+    // 6) 以运行中真实版本判定——不撒谎
+    if (running && localbin.cmpVer(running, latest) >= 0) {
+      e({ phase: "done", status: "done", message: `已是最新 ${running}` });
+    } else if (running) {
+      e({ phase: "done", status: "done", message: `已更新到 ${running}` });
+    } else {
+      e({ phase: "done", status: "done", message: `已启动(版本未知,期望 ${latest})` });
+    }
     return c;
   } catch (err) {
     console.warn(`[cicy-code-sidecar] update failed: ${err.message}`);
     e({ phase: "done", status: "error", message: `更新失败：${err.message}` });
     return null;
+  } finally {
+    _updating = false;
   }
 }
 
-module.exports = { start, stop, restart, update, probeExisting, clearNpxCache };
+module.exports = { start, stop, restart, update, probeExisting, clearNpxCache, isUpdating };

package/src/sidecar/localbin.js

@@ -133,9 +133,26 @@ async function latestVersion(name = DEFAULT) {
 function linkTo(name, verBinPath, ver) {
   const link = linkFor(name);
   fs.mkdirSync(LOCAL_BIN, { recursive: true });
-  try { fs.rmSync(link, { force: true }); } catch {}
-  if (IS_WIN) fs.copyFileSync(verBinPath, link);
-  else fs.symlinkSync(verBinPath, link);
+  if (IS_WIN) {
+    // Windows can't DELETE or OVERWRITE a RUNNING .exe (EPERM/EBUSY) — which is
+    // exactly the update case, since cicy-code.exe is live when we re-link. But
+    // Windows CAN *rename* a running exe: move the in-use link aside (unique name
+    // so it never collides with an older still-running one), then copy the new
+    // binary into place. The old process keeps running from the renamed file; the
+    // next start picks up the new one. (Stale .old-* are harmless; best-effort swept.)
+    try {
+      if (fs.existsSync(link)) fs.renameSync(link, `${link}.old-${Date.now()}`);
+    } catch {}
+    fs.copyFileSync(verBinPath, link);
+    try {
+      for (const f of fs.readdirSync(LOCAL_BIN)) {
+        if (f.startsWith(`${BIN}.old-`)) { try { fs.rmSync(path.join(LOCAL_BIN, f), { force: true }); } catch {} }
+      }
+    } catch {}
+  } else {
+    try { fs.rmSync(link, { force: true }); } catch {}
+    fs.symlinkSync(verBinPath, link);
+  }
   if (ver) writeManifest(name, ver);
   return link;
 }

package/src/sidecar/native.js

@@ -140,9 +140,9 @@ async function start({ port = 8008, logPath = null, emit, version = null } = {})
     PORT: String(port),
     CICY_CODE_PORT: String(port),
   };
-  // --helper=1: on Windows, boot as the single headless cicy 团队助手 on w-1001
-  // (开机即团队助手). The flag is a no-op on cicy-code builds that don't support it.
-  const child = spawn(exe, ["--helper=1"], { stdio, detached: true, windowsHide: true, env });
+  // --helper removed (主人指令): boot cicy-code in normal mode (full tmux-based
+  // multi-agent), not the single headless 团队助手.
+  const child = spawn(exe, [], { stdio, detached: true, windowsHide: true, env });
   child.unref();
   try { fs.writeFileSync(PID_FILE, String(child.pid)); } catch {}
   console.log(`[native-sidecar] spawned ${exe} pid=${child.pid} port=${port} log=${logPath || "(none)"}`);