codexmate 0.0.33 → 0.0.36

package/cli/agents-files.js

@@ -92,6 +92,9 @@ function createAgentsFileController(deps = {}) {
     function applyClaudeMdFile(params = {}) {
         const filePath = resolveClaudeMdFilePath();
         const content = typeof params.content === 'string' ? params.content : '';
+        if (content.length > 2 * 1024 * 1024) {
+            return { error: '内容过大（最大 2MB）' };
+        }
         const lineEnding = params.lineEnding === '\r\n' ? '\r\n' : '\n';
         const normalized = normalizeLineEnding(content, lineEnding);
         const finalContent = ensureUtf8Bom(normalized);
@@ -150,6 +153,9 @@ function createAgentsFileController(deps = {}) {
         }
 
         const content = typeof params.content === 'string' ? params.content : '';
+        if (content.length > 2 * 1024 * 1024) {
+            return { error: '内容过大（最大 2MB）' };
+        }
         const lineEnding = params.lineEnding === '\r\n' ? '\r\n' : '\n';
         const normalized = normalizeLineEnding(content, lineEnding);
         const finalContent = ensureUtf8Bom(normalized);

package/cli/archive-helpers.js

@@ -4,6 +4,7 @@ function createArchiveHelperController(deps = {}) {
         path,
         os,
         execSync,
+        execFileSync,
         zipLib,
         yauzl,
         ensureDir,
@@ -341,8 +342,11 @@ function createArchiveHelperController(deps = {}) {
 
             const zipTool = resolveZipTool();
             if (zipTool.type === 'zip') {
-                const cmd = `"${zipTool.cmd}" -0 -q -r "${zipFilePath}" "${dirPath}"`;
-                execSync(cmd, { stdio: 'ignore' });
+                if (typeof execFileSync === 'function') {
+                    execFileSync(zipTool.cmd, ['-0', '-q', '-r', zipFilePath, dirPath], { stdio: 'ignore' });
+                } else {
+                    execSync(`"${zipTool.cmd}" -0 -q -r "${zipFilePath}" "${dirPath}"`, { stdio: 'ignore' });
+                }
             } else {
                 await zipWithLibrary(dirPath, zipFilePath);
             }
@@ -371,8 +375,11 @@ function createArchiveHelperController(deps = {}) {
 
         try {
             if (zipTool.type === 'zip') {
-                const cmd = `"${zipTool.cmd}" -0 -q -r "${zipFilePath}" "${dirPath}"`;
-                execSync(cmd, { stdio: 'ignore' });
+                if (typeof execFileSync === 'function') {
+                    execFileSync(zipTool.cmd, ['-0', '-q', '-r', zipFilePath, dirPath], { stdio: 'ignore' });
+                } else {
+                    execSync(`"${zipTool.cmd}" -0 -q -r "${zipFilePath}" "${dirPath}"`, { stdio: 'ignore' });
+                }
             } else {
                 await zipWithLibrary(dirPath, zipFilePath);
             }

package/cli/local-bridge.js

@@ -74,7 +74,7 @@ function buildClaudeUpstreamPool(claudeProvidersFile, excludedProviders) {
         if (excludedSet.has(name.toLowerCase())) continue;
         const baseUrl = typeof p.baseUrl === 'string' ? p.baseUrl.trim() : '';
         if (!baseUrl || !isValidHttpUrl(normalizeBaseUrl(baseUrl))) continue;
-        pool.push({ name, baseUrl: normalizeBaseUrl(baseUrl), apiKey: typeof p.apiKey === 'string' ? p.apiKey : '' });
+        pool.push({ name, baseUrl: normalizeBaseUrl(baseUrl), apiKey: typeof p.apiKey === 'string' ? p.apiKey : '', model: typeof p.model === 'string' ? p.model.trim() : '' });
     }
     if (pool.length === 0) return { error: '请先添加可用的 Claude 上游提供商' };
     return { pool };
@@ -271,7 +271,7 @@ function createLocalBridgeHttpHandler(options = {}) {
                     return;
                 }
                 res.writeHead(200, { 'Content-Type': 'application/json; charset=utf-8' });
-                res.end(JSON.stringify({ object: 'codexmate.claude_local_bridge', provider: entry.name, status: 'ok', pool: pool.map(p => p.name) }));
+                res.end(JSON.stringify({ object: 'codexmate.claude_local_bridge', provider: entry.name, model: entry.model || '', status: 'ok', pool: pool.map(p => p.name) }));
                 return;
             }
 
@@ -285,7 +285,12 @@ function createLocalBridgeHttpHandler(options = {}) {
 
             let parsedBody;
             try { parsedBody = bodyResult.body ? JSON.parse(bodyResult.body) : {}; } catch (_) { parsedBody = {}; }
+            // Override model to match the selected upstream provider
+            if (entry.model && parsedBody && typeof parsedBody === 'object') {
+                parsedBody.model = entry.model;
+            }
             const wantsStream = !!(parsedBody && parsedBody.stream);
+            const bodyToForward = JSON.stringify(parsedBody);
             const upstreamUrl = joinApiUrl(entry.baseUrl.replace(/\/+$/, ''), suffix);
             const headers = { 'Content-Type': 'application/json' };
             if (entry.apiKey) {
@@ -300,7 +305,7 @@ function createLocalBridgeHttpHandler(options = {}) {
                 // Streaming proxy: pipe upstream SSE directly to client
                 const upstreamResult = await streamClaudeUpstream(upstreamUrl, {
                     method: req.method || 'POST',
-                    body: bodyResult.body,
+                    body: bodyToForward,
                     headers,
                     maxBytes: maxUpstreamBytes,
                     httpAgent,
@@ -322,7 +327,7 @@ function createLocalBridgeHttpHandler(options = {}) {
             // Non-streaming proxy
             const upstreamResult = await retryTransientRequest(() => proxyRequestJson(upstreamUrl, {
                 method: req.method || 'POST',
-                body: bodyResult.body || null,
+                body: bodyToForward || null,
                 headers,
                 maxBytes: maxUpstreamBytes,
                 httpAgent,

package/cli/openai-bridge.js

@@ -5,7 +5,7 @@ const { StringDecoder } = require('string_decoder');
 const { readJsonFile, writeJsonAtomic } = require('../lib/cli-file-utils');
 const { isValidHttpUrl, normalizeBaseUrl, joinApiUrl } = require('../lib/cli-utils');
 
-const DEFAULT_BRIDGE_TOKEN = 'codexmate';
+const DEFAULT_BRIDGE_TOKEN = crypto.randomBytes(16).toString('hex');
 const SETTINGS_VERSION = 1;
 // 推理模型 reasoning 阶段可能长时间无字节输出，需匹配 codex 的 stream_idle_timeout_ms=300000。
 const STREAM_IDLE_TIMEOUT_MS = 5 * 60 * 1000;

package/cli/update.js

@@ -1,5 +1,6 @@
 const fs = require('fs');
 const path = require('path');
+const os = require('os');
 const https = require('https');
 const { execSync, spawn } = require('child_process');
 
@@ -147,8 +148,16 @@ function updateViaStandalone(version) {
     if (process.platform !== 'win32') {
         console.log('[Update] 尝试自动执行安装脚本...');
         try {
-            const script = 'curl -fsSL https://raw.githubusercontent.com/SakuraByteCore/codexmate/main/scripts/install.sh | bash';
-            execSync(script, { stdio: 'inherit' });
+            const crypto = require('crypto');
+            const tmpScript = path.join(os.tmpdir(), `codexmate-install-${Date.now()}.sh`);
+            const { execFileSync, execSync: _unused } = require('child_process');
+            execSync(`curl -fsSL -o "${tmpScript}" https://raw.githubusercontent.com/SakuraByteCore/codexmate/main/scripts/install.sh`, { stdio: 'inherit' });
+            const scriptContent = fs.readFileSync(tmpScript, 'utf-8');
+            const checksum = crypto.createHash('sha256').update(scriptContent).digest('hex');
+            console.log(`[Update] Script checksum: ${checksum}`);
+            fs.chmodSync(tmpScript, 0o755);
+            execFileSync('bash', [tmpScript], { stdio: 'inherit' });
+            try { fs.unlinkSync(tmpScript); } catch (_) {}
         } catch (e) {
             console.warn('[Update] 自动脚本执行失败，请手动运行。');
         }

package/cli.js

@@ -7,7 +7,7 @@ const toml = require('@iarna/toml');
 const JSON5 = require('json5');
 const zipLib = require('zip-lib');
 const yauzl = require('yauzl');
-const { exec, execSync, spawn, spawnSync } = require('child_process');
+const { exec, execSync, execFileSync, spawn, spawnSync } = require('child_process');
 const http = require('http');
 const https = require('https');
 const net = require('net');
@@ -175,7 +175,7 @@ const {
 } = require('./lib/download-artifacts');
 
 const DEFAULT_WEB_PORT = 3737;
-const DEFAULT_WEB_HOST = '0.0.0.0';
+const DEFAULT_WEB_HOST = '127.0.0.1';
 const DEFAULT_WEB_OPEN_HOST = '127.0.0.1';
 
 // ============================================================================
@@ -758,7 +758,7 @@ function updateAuthJson(apiKey) {
         } catch (e) { }
     }
     authData['OPENAI_API_KEY'] = apiKey;
-    fs.writeFileSync(AUTH_FILE, JSON.stringify(authData, null, 2), 'utf-8');
+    fs.writeFileSync(AUTH_FILE, JSON.stringify(authData, null, 2), { encoding: 'utf-8', mode: 0o600 });
 }
 
 function isPlainObject(value) {
@@ -1711,6 +1711,7 @@ const {
     path,
     os,
     execSync,
+    execFileSync,
     zipLib,
     yauzl,
     ensureDir,
@@ -4234,6 +4235,9 @@ function parseClaudeSessionSummary(filePath, options = {}) {
 
     const tailRecords = parseJsonlTailRecords(filePath, summaryReadBytes);
     for (const record of tailRecords) {
+        if (record && record.timestamp) {
+            updatedAt = updateLatestIso(updatedAt, record.timestamp);
+        }
         applySessionUsageSummaryFromRecord(usageState, record, 'claude');
         totalTokens = usageState.totalTokens || 0;
         contextWindow = usageState.contextWindow || 0;
@@ -4741,8 +4745,8 @@ function listClaudeSessions(limit, options = {}) {
                 continue;
             }
 
-            const updatedAt = toIsoTime(entry.modified || entry.fileMtime, '');
-            const createdAt = toIsoTime(entry.created, '');
+            let updatedAt = toIsoTime(entry.modified || entry.fileMtime, fileStat.mtime.toISOString());
+            let createdAt = toIsoTime(entry.created, '');
             let title = truncateText(entry.summary || entry.firstPrompt || sessionId, 120);
             let messageCount = Number.isFinite(entry.messageCount) ? Math.max(0, entry.messageCount - 1) : 0;
             let totalTokens = 0;
@@ -4774,6 +4778,12 @@ function listClaudeSessions(limit, options = {}) {
 
                 const quickMessages = [];
                 for (const record of quickRecords) {
+                    if (record && record.timestamp) {
+                        if (!createdAt) {
+                            createdAt = toIsoTime(record.timestamp, createdAt);
+                        }
+                        updatedAt = updateLatestIso(updatedAt, record.timestamp);
+                    }
                     applySessionUsageSummaryFromRecord(usageState, record, 'claude');
                     const recordModels = readSessionModelsFromRecord(record);
                     for (const recordModel of recordModels) {
@@ -4804,6 +4814,12 @@ function listClaudeSessions(limit, options = {}) {
 
             const tailRecords = parseJsonlTailRecords(filePath, summaryReadBytes);
             for (const record of tailRecords) {
+                if (record && record.timestamp) {
+                    if (!createdAt) {
+                        createdAt = toIsoTime(record.timestamp, createdAt);
+                    }
+                    updatedAt = updateLatestIso(updatedAt, record.timestamp);
+                }
                 applySessionUsageSummaryFromRecord(usageState, record, 'claude');
                 const recordModels = readSessionModelsFromRecord(record);
                 for (const recordModel of recordModels) {
@@ -4863,27 +4879,29 @@ function listClaudeSessions(limit, options = {}) {
         }
     }
 
-    if (sessions.length === 0) {
-        const fallbackFiles = collectRecentJsonlFiles(claudeProjectsDir, {
-            returnCount: scanCount,
-            maxFilesScanned,
-            ignoreSubPath: `${path.sep}subagents${path.sep}`
+    // 补充扫描未索引的 .jsonl 文件（包括 sessions-index.json 中遗漏的会话）
+    const seenFilePaths = new Set(sessions.map((item) => item.filePath).filter(Boolean));
+    const fallbackFiles = collectRecentJsonlFiles(claudeProjectsDir, {
+        returnCount: scanCount,
+        maxFilesScanned,
+        ignoreSubPath: `${path.sep}subagents${path.sep}`
+    });
+    for (const filePath of fallbackFiles) {
+        if (seenFilePaths.has(filePath)) continue;
+        const summary = parseClaudeSessionSummary(filePath, {
+            summaryReadBytes,
+            titleReadBytes
         });
-        for (const filePath of fallbackFiles) {
-            const summary = parseClaudeSessionSummary(filePath, {
-                summaryReadBytes,
-                titleReadBytes
-            });
-            if (summary) {
-                sessions.push(attachSessionNativeStatus({
-                    ...summary,
-                    derived: isDerivedSessionFile(filePath)
-                }));
-            }
+        if (summary) {
+            sessions.push(attachSessionNativeStatus({
+                ...summary,
+                derived: isDerivedSessionFile(filePath)
+            }));
+            seenFilePaths.add(filePath);
+        }
 
-            if (sessions.length >= targetCount) {
-                break;
-            }
+        if (sessions.length >= targetCount) {
+            break;
         }
     }
 
@@ -7892,7 +7910,7 @@ function normalizeImportPayload(payload) {
             const name = item.name || item.provider || '';
             const baseUrl = item.baseUrl || item.base_url || item.url || '';
             const apiKey = item.apiKey ?? item.key ?? item.preferred_auth_method ?? null;
-            if (name && baseUrl) {
+            if (name && baseUrl && /^[a-zA-Z0-9_\-.\s]+$/.test(name)) {
                 providers[name] = { baseUrl, apiKey };
             }
         }
@@ -7901,7 +7919,7 @@ function normalizeImportPayload(payload) {
             if (!item || typeof item !== 'object') continue;
             const baseUrl = item.baseUrl || item.base_url || item.url || '';
             const apiKey = item.apiKey ?? item.key ?? item.preferred_auth_method ?? null;
-            if (name && baseUrl) {
+            if (name && baseUrl && /^[a-zA-Z0-9_\-.\s]+$/.test(name)) {
                 providers[name] = { baseUrl, apiKey };
             }
         }
@@ -9237,6 +9255,9 @@ function applyClaudeSettingsRaw(params = {}) {
     if (!content.trim()) {
         return { error: '内容不能为空' };
     }
+    if (content.length > 1024 * 1024) {
+        return { error: '内容过大（最大 1MB）' };
+    }
     let parsed;
     try {
         parsed = JSON.parse(content);
@@ -10039,9 +10060,10 @@ function watchPathsForRestart(targets, onChange) {
 }
 // #endregion watchPathsForRestart
 
-function writeJsonResponse(res, statusCode, payload) {
+function writeJsonResponse(res, statusCode, payload, headers = {}) {
     const body = JSON.stringify(payload, null, 2);
     res.writeHead(statusCode, {
+        ...headers,
         'Content-Type': 'application/json; charset=utf-8',
         'Content-Length': Buffer.byteLength(body, 'utf-8')
     });
@@ -10119,7 +10141,7 @@ function assertRequestAuthorized(req, res) {
         return { ok: false, mode: 'missing-token' };
     }
     const actual = extractRequestToken(req);
-    if (!actual || actual !== expected) {
+    if (!actual || !safeTimingEqual(actual, expected)) {
         writeJsonResponse(res, 401, { error: 'Unauthorized' });
         return { ok: false, mode: 'unauthorized' };
     }
@@ -10576,7 +10598,38 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
         res.end('Internal Server Error');
     };
 
+    const rateLimitMap = new Map();
+    const RATE_LIMIT_WINDOW_MS = 60000;
+    const RATE_LIMIT_MAX = 120;
+    function checkRateLimit(key) {
+        const now = Date.now();
+        const entry = rateLimitMap.get(key);
+        if (!entry || now - entry.start > RATE_LIMIT_WINDOW_MS) {
+            rateLimitMap.set(key, { start: now, count: 1 });
+            return true;
+        }
+        entry.count++;
+        if (entry.count > RATE_LIMIT_MAX) return false;
+        return true;
+    }
+    setInterval(function () {
+        const now = Date.now();
+        for (const [key, entry] of rateLimitMap.entries()) {
+            if (now - entry.start > RATE_LIMIT_WINDOW_MS * 2) rateLimitMap.delete(key);
+        }
+    }, RATE_LIMIT_WINDOW_MS).unref();
+
     const server = http.createServer((req, res) => {
+        const securityHeaders = {
+            'X-Content-Type-Options': 'nosniff',
+            'X-Frame-Options': 'DENY',
+            'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ws: wss:"
+        };
+        const origWriteHead = res.writeHead.bind(res);
+        res.writeHead = function (statusCode, headers) {
+            const merged = Object.assign({}, securityHeaders, headers || {});
+            return origWriteHead(statusCode, merged);
+        };
         const requestPath = (req.url || '/').split('?')[0];
         const sendJson = (statusCode, payload) => {
             const body = JSON.stringify(payload || {}, null, 2);
@@ -10599,28 +10652,15 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
             || requestPath.startsWith('/download/')
         ) {
             const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
-            const isLoopback = !remoteAddr
-                || remoteAddr === '127.0.0.1'
-                || remoteAddr === '::1'
-                || remoteAddr === '::ffff:127.0.0.1';
+            const isLoopback = !remoteAddr || isLoopbackRemoteAddress(remoteAddr);
             if (!isLoopback) {
-                const expected = typeof process.env.CODEXMATE_HTTP_TOKEN === 'string'
-                    ? process.env.CODEXMATE_HTTP_TOKEN.trim()
-                    : '';
-                if (!expected) {
-                    sendJson(403, {
-                        error: 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN or use --host 127.0.0.1)'
-                    });
+                const rateLimitKey = (remoteAddr || 'unknown') + ':' + requestPath;
+                if (!checkRateLimit(rateLimitKey)) {
+                    writeJsonResponse(res, 429, { error: 'Rate limit exceeded' }, { 'Retry-After': '60' });
                     return;
                 }
-                const headers = req && req.headers && typeof req.headers === 'object' ? req.headers : {};
-                const rawAuth = typeof headers.authorization === 'string' ? headers.authorization.trim() : '';
-                const match = rawAuth ? rawAuth.match(/^bearer\s+(.+)$/i) : null;
-                const actual = match && match[1]
-                    ? match[1].trim()
-                    : (rawAuth ? rawAuth : (typeof headers['x-codexmate-token'] === 'string' ? String(headers['x-codexmate-token']).trim() : ''));
-                if (!actual || actual !== expected) {
-                    sendJson(401, { error: 'Unauthorized' });
+                const auth = assertRequestAuthorized(req, res);
+                if (!auth.ok) {
                     return;
                 }
             }
@@ -11352,15 +11392,18 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
                     res.end(errorBody, 'utf-8');
                 }
             });
-        } else if (requestPath === '/web-ui') {
-            try {
-                const html = readBundledWebUiHtml(htmlPath);
-                res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
-                res.end(html);
-            } catch (error) {
-                writeWebUiAssetError(res, requestPath, error);
-            }
+        } else if (requestPath === '/web-ui/index.html') {
+            const rawUrl = typeof req.url === 'string' ? req.url : '';
+            const queryIndex = rawUrl.indexOf('?');
+            const query = queryIndex >= 0 ? rawUrl.slice(queryIndex) : '';
+            res.writeHead(302, {
+                'Location': `/${query}`,
+                'Content-Type': 'text/plain; charset=utf-8',
+                'Cache-Control': 'no-store, max-age=0'
+            });
+            res.end('Found');
         } else if (requestPath.startsWith('/web-ui/')) {
+            // Skip the /web-ui/ directory itself, which is handled above
             const normalized = path.normalize(requestPath).replace(/^([\\.\\/])+/, '');
             const filePath = path.join(__dirname, normalized);
             if (!isPathInside(filePath, webDir)) {
@@ -11369,11 +11412,22 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
                 return;
             }
             const relativePath = path.relative(webDir, filePath).replace(/\\/g, '/');
+
+            // Empty relativePath means direct /web-ui/ access - return 404
+            if (relativePath === '' || relativePath === 'index.html') {
+                res.writeHead(404, { 'Content-Type': 'text/plain; charset=utf-8' });
+                res.end('Not Found');
+                return;
+            }
+
             const dynamicAsset = PUBLIC_WEB_UI_DYNAMIC_ASSETS.get(relativePath);
             if (dynamicAsset) {
                 try {
                     const assetBody = dynamicAsset.reader(filePath);
-                    res.writeHead(200, { 'Content-Type': dynamicAsset.mime });
+                    res.writeHead(200, {
+                        'Content-Type': dynamicAsset.mime,
+                        'Cache-Control': 'no-store, max-age=0'
+                    });
                     res.end(assetBody, 'utf-8');
                 } catch (error) {
                     writeWebUiAssetError(res, requestPath, error);
@@ -11400,7 +11454,10 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
                         : ext === '.json'
                             ? 'application/json; charset=utf-8'
                             : 'application/octet-stream';
-            res.writeHead(200, { 'Content-Type': mime });
+            res.writeHead(200, {
+                'Content-Type': mime,
+                'Cache-Control': 'no-store, max-age=0'
+            });
             fs.createReadStream(filePath).pipe(res);
         } else if (requestPath.startsWith('/download/')) {
             const fileName = requestPath.slice('/download/'.length);
@@ -11461,15 +11518,27 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
                     : ext === '.json'
                         ? 'application/json; charset=utf-8'
                         : 'application/octet-stream';
-            res.writeHead(200, { 'Content-Type': mime });
+            res.writeHead(200, {
+                'Content-Type': mime,
+                'Cache-Control': 'no-store, max-age=0'
+            });
             fs.createReadStream(filePath).pipe(res);
         } else {
-            try {
-                const html = readBundledWebUiHtml(htmlPath);
-                res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
-                res.end(html);
-            } catch (error) {
-                writeWebUiAssetError(res, requestPath, error);
+            // Only serve HTML for root path; /web-ui returns 404.
+            if (requestPath === '/') {
+                try {
+                    const html = readBundledWebUiHtml(htmlPath);
+                    res.writeHead(200, {
+                        'Content-Type': 'text/html; charset=utf-8',
+                        'Cache-Control': 'no-store, max-age=0'
+                    });
+                    res.end(html);
+                } catch (error) {
+                    writeWebUiAssetError(res, requestPath, error);
+                }
+            } else {
+                res.writeHead(404, { 'Content-Type': 'text/plain; charset=utf-8' });
+                res.end('Not Found');
             }
         }
     });

package/lib/cli-webhook.js

@@ -3,10 +3,33 @@ const fs = require('fs');
 const http = require('http');
 const https = require('https');
 const os = require('os');
+const net = require('net');
 
 const ALLOWED_EVENTS = ['provider-switch', 'claude-md-edit'];
 const DEFAULT_TIMEOUT_MS = 5000;
 
+function isPrivateNetworkHost(hostname) {
+    const host = typeof hostname === 'string' ? hostname.trim().toLowerCase() : '';
+    if (!host) return true;
+    if (host === 'localhost') return true;
+    const ipVer = net.isIP(host);
+    if (!ipVer) return false;
+    if (ipVer === 4) {
+        const parts = host.split('.').map(function (x) { return parseInt(x, 10); });
+        if (parts[0] === 10) return true;
+        if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
+        if (parts[0] === 192 && parts[1] === 168) return true;
+        if (parts[0] === 127) return true;
+        if (parts[0] === 0) return true;
+        if (parts[0] === 169 && parts[1] === 254) return true;
+        return false;
+    }
+    if (host === '::1' || host === '::') return true;
+    if (host.startsWith('fc') || host.startsWith('fd')) return true;
+    if (host.startsWith('fe80')) return true;
+    return false;
+}
+
 function defaultConfigPath() {
     return path.join(os.homedir(), '.codex', 'codexmate-webhook.json');
 }
@@ -42,7 +65,7 @@ function saveWebhookConfig(cfg, filePath) {
     try {
         fs.mkdirSync(path.dirname(target), { recursive: true });
     } catch (_) {}
-    fs.writeFileSync(target, JSON.stringify(normalized, null, 2), 'utf-8');
+    fs.writeFileSync(target, JSON.stringify(normalized, null, 2), { encoding: 'utf-8', mode: 0o600 });
     return normalized;
 }
 
@@ -55,6 +78,11 @@ function postJson(targetUrl, payload, timeoutMs) {
             resolve({ ok: false, error: 'invalid-url' });
             return;
         }
+        const allowPrivateWebhook = process.env.CODEXMATE_ALLOW_PRIVATE_WEBHOOK === '1';
+        if (!allowPrivateWebhook && isPrivateNetworkHost(parsed.hostname || '')) {
+            resolve({ ok: false, error: 'Refusing to send webhook to private network host' });
+            return;
+        }
         const transport = parsed.protocol === 'https:' ? https : http;
         const body = JSON.stringify(payload || {});
         let req;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codexmate",
-  "version": "0.0.33",
+  "version": "0.0.36",
   "description": "Codex/Claude Code/OpenClaw 配置、会话与任务编排 CLI + Web 工具",
   "main": "cli.js",
   "bin": {
@@ -46,6 +46,7 @@
   },
   "dependencies": {
     "@iarna/toml": "^2.2.5",
+    "@vue/compiler-dom": "^3.5.30",
     "json5": "^2.2.3",
     "yauzl": "^3.2.1",
     "zip-lib": "^1.2.1"

package/web-ui/app.js

@@ -7,8 +7,10 @@ import {
 import { createAppComputed } from './modules/app.computed.index.mjs';
 import { createAppMethods } from './modules/app.methods.index.mjs';
 import { loadConfigTemplateDiffConfirmEnabledFromStorage } from './modules/config-template-confirm-pref.mjs';
+import { installWebUiUrlCanonicalization } from './modules/sessions-filters-url.mjs';
 
 document.addEventListener('DOMContentLoaded', () => {
+    installWebUiUrlCanonicalization();
     if (typeof Vue === 'undefined') {
         console.error('Vue 库未能在 DOMContentLoaded 触发前加载完成。');
         const fallbackTarget = document.querySelector('#app') || document.querySelector('[v-cloak]');
@@ -26,9 +28,10 @@ document.addEventListener('DOMContentLoaded', () => {
 
     const { createApp } = Vue;
 
-    const app = createApp({
+    const appOptions = {
         data() {
             return {
+                brandHovered: false,
                 lang: 'zh',
                 appVersion: '',
                 mainTab: 'dashboard',
@@ -71,6 +74,9 @@ document.addEventListener('DOMContentLoaded', () => {
                 showAgentsModal: false,
                 showSkillsModal: false,
                 showHealthCheckModal: false,
+                showCodexBridgePoolModal: false,
+                showClaudeBridgePoolModal: false,
+                showWebhookModal: false,
                 // Plugins
                 pluginsActiveId: 'prompt-templates',
                 pluginsLoading: false,
@@ -98,6 +104,7 @@ document.addEventListener('DOMContentLoaded', () => {
                 confirmDialogResolver: null,
                 configTemplateContent: '',
                 configTemplateApplying: false,
+                configTemplateContext: 'codex',
                 configTemplateDiffVisible: false,
                 configTemplateDiffLoading: false,
                 configTemplateDiffError: '',
@@ -226,6 +233,7 @@ document.addEventListener('DOMContentLoaded', () => {
                 sessionPreviewHeaderEl: null,
                 sessionPreviewHeaderResizeObserver: null,
                 sessionListRenderEnabled: false,
+                preserveSessionRenderOnTabLeave: true,
                 sessionListVisibleCount: 0,
                 sessionListInitialBatchSize: 40,
                 sessionListLoadStep: 80,
@@ -416,6 +424,27 @@ document.addEventListener('DOMContentLoaded', () => {
         },
 
         mounted() {
+            // URL 规范化：将 /web-ui/* 重定向到根路径 /
+            try {
+                const pathname = window.location.pathname;
+                if (pathname === '/web-ui' || pathname === '/web-ui/' || pathname === '/web-ui/index.html') {
+                    const url = new URL(window.location.href);
+                    url.pathname = '/';
+                    // 移除查询参数和 hash，保持 URL 纯净
+                    url.search = '';
+                    url.hash = '';
+                    window.location.replace(url.toString());
+                    return;
+                }
+                // 清理任何查询参数和 hash，保持 URL 为 /
+                if (window.location.search || window.location.hash) {
+                    const url = new URL(window.location.href);
+                    url.search = '';
+                    url.hash = '';
+                    window.history.replaceState(null, '', url.toString());
+                }
+            } catch (_) {}
+
             if (typeof this.initI18n === 'function') {
                 this.initI18n();
             }
@@ -644,7 +673,13 @@ document.addEventListener('DOMContentLoaded', () => {
 
         computed: createAppComputed(),
         methods: createAppMethods()
-    });
+    };
+
+    if (typeof window.__CODEXMATE_WEB_UI_RENDER__ === 'function') {
+        appOptions.render = window.__CODEXMATE_WEB_UI_RENDER__;
+    }
+
+    const app = createApp(appOptions);
 
     app.mount('#app');
 });