cicy-desktop 2.1.78 → 2.1.80

package/src/backends/homepage-react/index.html

@@ -6,8 +6,8 @@
   <link rel="icon" type="image/svg+xml" href="./favicon.svg" />
   <link rel="icon" type="image/png" sizes="256x256" href="./favicon-256.png" />
   <title>CiCy Desktop</title>
-  <script type="module" crossorigin src="./assets/index-DLYMzgf5.js"></script>
-  <link rel="stylesheet" crossorigin href="./assets/index-DE9m6JTn.css">
+  <script type="module" crossorigin src="./assets/index-CSsNZgC5.js"></script>
+  <link rel="stylesheet" crossorigin href="./assets/index-CKpaMBKz.css">
 </head>
 <body>
   <div id="root"></div>

package/src/backends/homepage-window.js

@@ -11,15 +11,40 @@ const path = require("path");
 const { BrowserWindow } = require("electron");
 const log = require("electron-log");
 
+// Fixed homepage window size (主人令: 写死 930*640, 不能 resize).
+const FIXED_WIDTH = 930;
+const FIXED_HEIGHT = 640;
+
 const LOCAL_INDEX = path.join(__dirname, "homepage-react", "index.html");
 
 function pickHomepageURL() {
   return `file://${LOCAL_INDEX}`;
 }
 
-let homepage = null;
+let homepage = null;    // standalone fallback window (only if the tab engine fails)
+let homeTabWc = null;   // the homepage's resident-tab webContents (primary path)
 
+// Primary entry: the homepage is the RESIDENT first tab of profile 0's tab
+// browser window (主人令: homepage = profile 0 的起始页). Clicking a team there
+// opens the team as another tab in the same window. Falls back to a standalone
+// window only if the tab engine throws, so the homepage is never unreachable.
 async function openHomepage() {
+  try {
+    const tabBrowser = require("../tools/tab-browser-tools");
+    const { win, wc } = tabBrowser.openHomeWindow(0, pickHomepageURL());
+    if (wc) {
+      homeTabWc = wc;
+      try { wc.once("destroyed", () => { if (homeTabWc === wc) homeTabWc = null; }); } catch {}
+    }
+    log.info(`[homepage] opened as profile-0 resident tab (wc=${wc && wc.id})`);
+    return win;
+  } catch (e) {
+    log.warn(`[homepage] tab route failed (${e.message}); using standalone window`);
+    return openHomepageStandalone();
+  }
+}
+
+async function openHomepageStandalone() {
   if (homepage && !homepage.isDestroyed()) {
     if (homepage.isMinimized()) homepage.restore();
     homepage.show();
@@ -27,10 +52,11 @@ async function openHomepage() {
     return homepage;
   }
   homepage = new BrowserWindow({
-    width: 1320,
-    height: 800,
-    minWidth: 360,
-    minHeight: 480,
+    width: FIXED_WIDTH,
+    height: FIXED_HEIGHT,
+    resizable: false,
+    maximizable: false,
+    fullscreenable: false,
     title: "CiCy Desktop",
     icon: require("../utils/app-icon").appIconPath(), // npx/unpackaged → set the
     // window+taskbar icon ourselves (no .exe to embed it on Windows).
@@ -90,7 +116,26 @@ async function openHomepage() {
 }
 
 function isOpen() {
-  return !!(homepage && !homepage.isDestroyed());
+  return !!((homeTabWc && !homeTabWc.isDestroyed()) || (homepage && !homepage.isDestroyed()));
 }
 
-module.exports = { openHomepage, isOpen, getHomepageWindow: () => homepage };
+// A stable shim that always resolves to the live homepage surface — the resident
+// tab's webContents when present, else the standalone window's. Returned object
+// identity is stable so callers that hold it across the async gap before the tab
+// exists (appUpdater.init) still work once the tab loads. Used for main→renderer
+// pushes: auth:complete (main.js), app:update-state (app-updater.js).
+const homeWinShim = {
+  get webContents() {
+    if (homeTabWc && !homeTabWc.isDestroyed()) return homeTabWc;
+    if (homepage && !homepage.isDestroyed()) return homepage.webContents;
+    return null;
+  },
+  isDestroyed() {
+    const wc = this.webContents;
+    return !wc || (typeof wc.isDestroyed === "function" && wc.isDestroyed());
+  },
+};
+
+function getHomepageWindow() { return homeWinShim; }
+
+module.exports = { openHomepage, isOpen, getHomepageWindow };

package/src/backends/ipc.js

@@ -214,6 +214,63 @@ function register(opts = {}) {
     return { ok: true, ...readTos() };
   });
   ipcMain.handle("logs:tail", (_e, input) => tailLog(input || {}));
+
+  // ── Trusted origins (Chrome-style site-settings allowlist) ──────────────────
+  // The ONLY user-controlled source of "which sites may receive the electronRPC
+  // bridge (= run commands locally)". Every write refreshes the cached set in
+  // window-utils so isTrustedUrl() takes effect immediately (no restart).
+  ipcMain.handle("trustedOrigins:list", () => {
+    return require("../profiles/trusted-origins-store").listForUi();
+  });
+  ipcMain.handle("trustedOrigins:add", (_e, host) => {
+    const r = require("../profiles/trusted-origins-store").add(host);
+    try { require("../utils/window-utils").refreshTrustedOrigins(); } catch {}
+    return r;
+  });
+  ipcMain.handle("trustedOrigins:remove", (_e, host) => {
+    const r = require("../profiles/trusted-origins-store").remove(host);
+    try { require("../utils/window-utils").refreshTrustedOrigins(); } catch {}
+    return r;
+  });
+
+  // ── Open / reload a URL as a TAB in profile 0's tab browser ─────────────────
+  // Homepage cards (incl. cloud team cards) open the same way the local card does
+  // — a tab in the current profile (0) — instead of a new window / system browser.
+  ipcMain.handle("tabs:open", async (_e, input) => {
+    try {
+      const tb = require("../tools/tab-browser-tools");
+      const r = await tb.openTab(0, String((input && input.url) || ""), { systemOpen: true, trusted: false, title: (input && input.title) || "" });
+      return { ok: true, winId: r.winId, tabId: r.tabId };
+    } catch (e) { return { ok: false, error: String((e && e.message) || e) }; }
+  });
+  ipcMain.handle("tabs:reload", async (_e, input) => {
+    try {
+      const tb = require("../tools/tab-browser-tools");
+      return await tb.reloadTabByUrl(0, String((input && input.url) || ""), { title: (input && input.title) || "" });
+    } catch (e) { return { ok: false, error: String((e && e.message) || e) }; }
+  });
+
+  // ── RPC audit log (read-only viewer) ────────────────────────────────────────
+  // JSONL at ~/cicy-ai/db/rpc-audit.log (utils/rpc-audit.js): every electronRPC
+  // call + every authorization decision (incl. temporary ones) + allowlist edits.
+  // Returns the most recent `limit` entries newest-first; merges the rotated .1
+  // file when the live log is short. Read-only — the UI reviews, never mutates.
+  ipcMain.handle("rpcAudit:tail", (_e, input) => {
+    const limit = Math.max(1, Math.min(2000, Number((input && input.limit) || 300)));
+    try {
+      const { LOG } = require("../utils/rpc-audit");
+      const fs = require("fs");
+      const read = (p) => { try { return fs.readFileSync(p, "utf-8").split("\n").filter(Boolean); } catch { return []; } };
+      let lines = read(LOG);
+      if (lines.length < limit) lines = read(LOG + ".1").concat(lines); // older file first
+      const entries = [];
+      for (const ln of lines.slice(-limit)) { try { entries.push(JSON.parse(ln)); } catch {} }
+      entries.reverse(); // newest first
+      return { ok: true, entries, path: LOG };
+    } catch (e) {
+      return { ok: false, error: String((e && e.message) || e), entries: [] };
+    }
+  });
 }
 
 module.exports = { register, openHomepage };

package/src/backends/local-teams.js

@@ -116,11 +116,8 @@ function probeHealth(baseUrl, token) {
       res.setEncoding("utf8");
       res.on("data", (c) => { body += c; if (body.length > 8192) body = body.slice(0, 8192); });
       res.on("end", () => {
-        let ver = null;
-        try {
-          const j = JSON.parse(body);
-          ver = j?.version || j?.data?.version || null;
-        } catch {}
+        // 版本解析唯一来源:require("../sidecar/version").parseHealthVersion
+        const ver = require("../sidecar/version").parseHealthVersion(body);
         resolve({
           ok: res.statusCode >= 200 && res.statusCode < 300,
           status: res.statusCode,
@@ -276,14 +273,27 @@ async function openTeam(id) {
     }
   }
 
-  const { createWindow } = require("../utils/window-utils");
-  const win = createWindow(
-    { url, title: `Local · ${node.name || id}` },
-    0,    // accountIdx — local teams all share account 0's session partition
-    true, // forceNew — we already determined no match above
-  );
-  log.info(`[local-teams] open ${id} → new win.id=${win.id}`);
-  return { ok: true, windowId: win.id, reused: false };
+  // Open the team as a TAB in account 0's tab browser (一个 profile 一个窗口，
+  // 不再每次弹新窗口). trusted=true → the tab gets the electronRPC bridge so the
+  // cicy-code SPA keeps working. Falls back to a real window on any failure so
+  // opening a team is never blocked.
+  try {
+    const tabBrowser = require("../tools/tab-browser-tools");
+    // tab name = the team's title (not the cicy-code SPA's document.title)
+    const r = await tabBrowser.openTab(0, url, { trusted: true, systemOpen: true, title: node.name || id });
+    log.info(`[local-teams] open ${id} → tab in win.id=${r.winId} (reused=${r.reused})`);
+    return { ok: true, windowId: r.winId, reused: !!r.reused, tabbed: true };
+  } catch (e) {
+    log.warn(`[local-teams] open ${id} → tab failed (${e.message}); falling back to window`);
+    const { createWindow } = require("../utils/window-utils");
+    const win = createWindow(
+      { url, title: `Local · ${node.name || id}` },
+      0,    // accountIdx — local teams all share account 0's session partition
+      true, // forceNew — we already determined no match above
+    );
+    log.info(`[local-teams] open ${id} → new win.id=${win.id}`);
+    return { ok: true, windowId: win.id, reused: false };
+  }
 }
 
 // Is this URL served by something on the local machine (the cicy-code sidecar)?
@@ -409,17 +419,49 @@ async function syncNameToCloud(id) {
     if (!cc.loginToken || !cc.loginToken()) return; // not logged in
     const node = readNodes()[id];
     if (!node || !isLocalOrigin(node.base_url || "")) return;
-    const reg = await cc.registerTeam({ teamId: node.cloud_team_id || null, title: node.name || "" });
-    if (reg && reg.ok && reg.teamId && reg.teamId !== node.cloud_team_id) {
-      await writeNodes((nodes) => {
-        if (nodes[id]) nodes[id].cloud_team_id = reg.teamId;
-        return nodes;
-      });
-      log.info(`[local-teams] cloud name-sync ${id} → teamId=${reg.teamId}`);
-    } else if (reg && reg.ok) {
-      log.info(`[local-teams] cloud name-sync ${id} title updated (teamId=${node.cloud_team_id})`);
+    let reg = await cc.registerTeam({ teamId: node.cloud_team_id || null, title: node.name || "", titleVersion: node.titleVersion || 0 });
+    // Self-heal a STALE cached cloud_team_id: if we presented a cached id but the
+    // cloud returned ok WITHOUT an apiKey (team deleted / rotated / no longer owned
+    // cloud-side — e.g. after a cloud wipe), the cached id is dead. Re-register with
+    // teamId=null to mint a FRESH team+key instead of silently leaving the gateway
+    // key empty (the "apiKey stays empty after a cloud wipe → requests 发不出去" bug).
+    // The teamId-changed branch below persists the new id back into teams.json.
+    if (reg && reg.ok && !reg.apiKey && node.cloud_team_id) {
+      log.warn(`[local-teams] cached cloud_team_id=${node.cloud_team_id} returned no gateway key — re-creating a fresh team`);
+      reg = await cc.registerTeam({ teamId: null, title: node.name || "", titleVersion: node.titleVersion || 0 });
+    }
+    // The cloud assigns this team a sk-cicy- gateway apiKey on register — wire
+    // it (full provider items + CLI routing, 主人 spec) into this machine's
+    // global.json so cicy-code has an LLM key from the moment it starts.
+    // Idempotent: injectGatewayKey no-ops when everything is already in place.
+    if (reg && reg.ok && reg.apiKey) {
+      try {
+        const inj = cc.injectGatewayKey(reg.apiKey, reg.gatewayUrl);
+        if (inj && inj.changed) log.info(`[local-teams] gateway key injected into global.json (teamId=${reg.teamId})`);
+      } catch (e) { log.warn(`[local-teams] gateway key injection failed: ${e.message}`); }
+    }
+    if (reg && reg.ok) {
+      // 服务端权威版本号裁决(w-10032 契约):响应版本 > 本地 → 采用响应的 title+version。
+      // 一条规则覆盖三种情况:(a) 云端/别处改名下行(reg.title=云端名,版本更大);
+      // (b) 本端改名被接受(reg.title=本端名,版本=base+1);(c) 冲突被拒(base 落后→
+      // reg.title=云端名,版本更大→云端赢)。相同名服务端不 bump→版本不变→不动。
+      const respVer = Number(reg.titleVersion) || 0;
+      const localVer = Number(node.titleVersion) || 0;
+      const adopt = respVer > localVer;
+      const teamIdChanged = reg.teamId && reg.teamId !== node.cloud_team_id;
+      if (teamIdChanged || adopt) {
+        await writeNodes((nodes) => {
+          if (nodes[id]) {
+            if (teamIdChanged) nodes[id].cloud_team_id = reg.teamId;
+            if (adopt) { if (reg.title) nodes[id].name = reg.title; nodes[id].titleVersion = respVer; }
+          }
+          return nodes;
+        });
+      }
+      if (adopt) log.info(`[local-teams] cloud title-sync ${id} ← "${reg.title}" v${respVer} (was v${localVer})`);
+      else if (teamIdChanged) log.info(`[local-teams] cloud title-sync ${id} → teamId=${reg.teamId}`);
     }
-  } catch (e) { log.warn(`[local-teams] cloud name-sync ${id} failed: ${e.message}`); }
+  } catch (e) { log.warn(`[local-teams] cloud title-sync ${id} failed: ${e.message}`); }
 }
 
 // Sync EVERY existing local-origin team to cloud. Runs once at startup (after
@@ -568,17 +610,22 @@ async function updateTeam(id, patch) {
   }
 
   let existed = false;
+  const isRename = filtered.name !== undefined;
   await writeNodes((nodes) => {
     if (Object.prototype.hasOwnProperty.call(nodes, id)) {
       existed = true;
       nodes[id] = { ...nodes[id], ...filtered, updated_at: new Date().toISOString() };
+      // 改名:只改 name,titleVersion 保持「最后一次从云端看到的」作为 base 不动。
+      // syncNameToCloud 带这个 base 去注册;服务端接受后盖 base+1,响应回来再写回本地
+      // (服务端权威,w-10032 契约)。冲突(base 落后)则被拒、采用云端名,见 syncNameToCloud。
     }
     return nodes;
   });
   if (!existed) return { ok: false, error: "team not found" };
   log.info(`[local-teams] update ${id} → ${Object.keys(filtered).join(",")}`);
-  // Rename → push the new title to the cloud (best-effort, one-way).
-  if (filtered.name !== undefined) syncNameToCloud(id).catch(() => {});
+  // Rename → push the new title (with the base titleVersion) to the cloud, and
+  // pull down a newer cloud name if there is one (two-way LWW inside syncNameToCloud).
+  if (isRename) syncNameToCloud(id).catch(() => {});
   const next = readNodes()[id] || {};
   let port = null;
   try { port = parseInt(new URL(next.base_url || "").port, 10) || null; } catch {}
@@ -800,7 +847,7 @@ function fetchManifestVersion() {
         res.setEncoding("utf8");
         res.on("data", (c) => { body += c; if (body.length > 8192) body = body.slice(0, 8192); });
         res.on("end", () => {
-          try { resolve(JSON.parse(body)?.version || null); }
+          try { resolve(require("../sidecar/version").parseHealthVersion(body)); }
           catch { resolve(null); }
         });
       });

package/src/backends/sidecar-ipc.js

@@ -28,6 +28,17 @@ function register({ sidecarLogPath } = {}) {
     return { running };
   });
 
+  // The ONE place the homepage gets cicy-code versions (主人令:"拿版本就一个方法").
+  //   running   → the live daemon's /api/health version ("正在跑什么"的唯一真相)
+  //   latest    → newest on npm (same number 更新 upgrades to)
+  //   installed → on-disk binary (manifest)
+  // The card derives 更新可用 / 已是最新 from THESE — never from ad-hoc probes.
+  ipcMain.handle("sidecar:versions", async () => {
+    const version = require("../sidecar/version");
+    const [running, latest] = await Promise.all([version.running(PORT), version.latest()]);
+    return { running: running || null, latest: latest || null, installed: version.installed() || null };
+  });
+
   // ---- Windows Docker bootstrap (homepage's "no Docker" setup flow) ----
   // docker:status → what's missing; docker:bootstrap → install Docker (if
   // needed) + load image + start container, streaming progress back to the

package/src/backends/webview-preload.js

@@ -30,9 +30,11 @@ const relay = (type, payload) =>
 // inside the helper agent's exec-js calls) call window.electronRPC("exec_shell",
 // {...}) etc. The Team Helper genuinely needs shell access to download +
 // install cicy-code on the user's machine, so we mirror the same bridge
-// here. Same channel as homepage-preload's "rpc" → the existing tool
-// registry dispatches without any further wiring.
-const electronRPC = (tool, args) => ipcRenderer.invoke("rpc", tool, args || {});
+// here. Routed through the GUARDED channel ("rpc:guarded") — this is a remote
+// third party, so dangerous tools (exec_*/file_*) prompt the user for a per-page
+// grant before running (a trusted-origin XSS must not be silent RCE). Normal
+// tools pass straight through. The homepage uses the unguarded "rpc" channel.
+const electronRPC = (tool, args) => ipcRenderer.invoke("rpc:guarded", tool, args || {});
 
 const cicyApi = {
   platform: process.platform,

package/src/backends/window-manager.js

@@ -164,9 +164,19 @@ async function openWindowForBackend(backend, opts = {}) {
   }
 
   registry.markUsed(backend.id);
-  // forceNew=true so each "Open" produces a new BrowserWindow even when
-  // oneWindow mode is on — the whole point of the launcher is multi-window.
-  return createWindow({ url }, backendAccountIdx(backend), true);
+  const acct = 0; // all teams open as tabs in profile 0's tab window (主人令)
+  // Open as a TAB in profile 0's tab window (不弹新窗口). trusted=true so the
+  // cicy-code SPA gets its electronRPC bridge. Fallback to a real window on any
+  // failure so opening a backend is never blocked.
+  try {
+    const tabBrowser = require("../tools/tab-browser-tools");
+    const { BrowserWindow } = require("electron");
+    // tab name = the backend/team's title (not the SPA's document.title)
+    const r = await tabBrowser.openTab(acct, url, { trusted: true, systemOpen: true, title: backend.name || "" });
+    return BrowserWindow.fromId(r.winId) || createWindow({ url }, acct, true);
+  } catch (e) {
+    return createWindow({ url }, acct, true);
+  }
 }
 
 module.exports = { openWindowForBackend, buildLocalUrl, buildRemoteUrl, resolveBackendUrl, readCicyAiApiToken, backendAccountIdx };

package/src/chrome/chrome-launcher.js

@@ -9,7 +9,7 @@ const { config } = require("../config");
 
 // Default profile model: one user-data-dir per accountIdx
 // Directory layout:
-//   ~/chrome/account_<idx>/Default/...
+//   ~/chrome/profile_<idx>/Default/...
 const DEFAULT_USER_DATA_BASE_ROOT = path.join(os.homedir(), "chrome");
 const DEFAULT_DEBUGGER_BASE_PORT = 9320;
 
@@ -18,11 +18,12 @@ function getProfileDirectory(_accountIdx) {
 }
 
 function getDefaultUserDataDirRoot(accountIdx, baseRoot = DEFAULT_USER_DATA_BASE_ROOT) {
-  // If caller passes a concrete account dir already, respect it.
-  if (typeof baseRoot === "string" && /account_\d+$/.test(baseRoot)) {
+  // If caller passes a concrete profile dir already, respect it.
+  // (account_<n> accepted for backward-compat with pre-rename dirs.)
+  if (typeof baseRoot === "string" && /(?:profile|account)_\d+$/.test(baseRoot)) {
     return baseRoot;
   }
-  return path.join(baseRoot, `account_${accountIdx}`);
+  return path.join(baseRoot, `profile_${accountIdx}`);
 }
 
 function getDefaultDebuggerPort(accountIdx, basePort = DEFAULT_DEBUGGER_BASE_PORT) {

package/src/chrome/debugger-port-resolver.js

@@ -12,7 +12,7 @@ function readPrivateChromeConfig() {
 }
 
 function getConfiguredDebuggerPort(accountIdx, chromeConfig = readPrivateChromeConfig()) {
-  const entry = chromeConfig?.[`account_${accountIdx}`];
+  const entry = chromeConfig?.[`profile_${accountIdx}`];
   return typeof entry?.port === "number" ? entry.port : null;
 }