evolclaw-web 1.1.0 → 1.2.2

package/dist/index.js

@@ -67,14 +67,14 @@ const fileLog = (line) => {
 };
 const log = (line) => { logLine(line); fileLog(line); };
 // 单实例保护：
-// 1) 按 instance 文件杀掉登记在册的旧 watch-web 进程
-const { writeWatchWeb, removeWatchWeb, cleanupWatchWebs, cleanupWatchWebByPort } = await import('./process-utils.js');
-const killedWebs = cleanupWatchWebs();
+// 1) 按 instance 文件杀掉登记在册的旧 ecweb 进程
+const { writeEcweb, removeEcweb, cleanupEcwebs, cleanupEcwebByPort } = await import('./process-utils.js');
+const killedWebs = cleanupEcwebs();
 for (const r of killedWebs)
-    logLine(`${YELLOW}↺ 已清理旧 watch 进程 PID ${r.pid}（端口 ${r.port}）${RST}`);
+    logLine(`${YELLOW}↺ 已清理旧 ecweb 进程 PID ${r.pid}（端口 ${r.port}）${RST}`);
 // 2) 兜底：按端口杀掉 instance 文件已丢失的孤儿进程（杀不掉的僵尸）
 const WATCH_WEB_PORT = port ?? 42705;
-const killedByPort = cleanupWatchWebByPort(WATCH_WEB_PORT);
+const killedByPort = cleanupEcwebByPort(WATCH_WEB_PORT);
 for (const pid of killedByPort)
     logLine(`${YELLOW}↺ 已强占端口 ${WATCH_WEB_PORT}：杀掉占用进程 PID ${pid}${RST}`);
 if (killedWebs.length > 0 || killedByPort.length > 0) {
@@ -90,7 +90,7 @@ catch (e) {
     process.exit(1);
 }
 // 注册 instance 文件
-writeWatchWeb(handle.port);
+writeEcweb(handle.port);
 // 列出访问地址
 const ifaces = os.networkInterfaces();
 const lanIps = [];
@@ -101,7 +101,7 @@ for (const list of Object.values(ifaces)) {
     }
 }
 process.stdout.write(`\n${BOLD}${CYAN}🔭 EvolClaw Watch${RST}  ${DIM}(home: ${p.root})${RST}\n\n`);
-process.stdout.write(`  ${BOLD}配对码:${RST}  ${GREEN}${BOLD}${handle.pairingCode}${RST}  ${DIM}(5 分钟内有效，配对后 token 缓存 24h 自动续期)${RST}\n\n`);
+process.stdout.write(`  ${BOLD}配对码:${RST}  ${GREEN}${BOLD}${handle.pairingCode}${RST}  ${DIM}(5 分钟内有效，配对后 token 缓存 30 天，有访问自动续期)${RST}\n\n`);
 process.stdout.write(`  ${BOLD}本机:${RST}    http://localhost:${handle.port}\n`);
 for (const ip of lanIps)
     process.stdout.write(`  ${BOLD}局域网:${RST}  http://${ip}:${handle.port}\n`);
@@ -116,13 +116,13 @@ const cleanup = () => {
         return; // 幂等：raw 模式下连按 Ctrl-C/q 不应重复触发
     cleaningUp = true;
     logLine(`${YELLOW}退出中…${RST}`);
-    removeWatchWeb();
+    removeEcweb();
     // 兜底：close() 万一卡住也强制退出，避免进程挂死
     const force = setTimeout(() => process.exit(0), 2000);
     force.unref();
     handle.close().finally(() => process.exit(0));
 };
-process.on('exit', () => removeWatchWeb());
+process.on('exit', () => removeEcweb());
 process.on('SIGINT', cleanup);
 process.on('SIGTERM', cleanup);
 if (process.stdin.isTTY) {

package/dist/process-utils.js

@@ -151,25 +151,32 @@ function readCmdline(pid) {
 function instanceDir() {
     return resolvePaths().instanceDir;
 }
-function watchWebFile(pid) {
-    return path.join(instanceDir(), `watch-web-${pid}.json`);
+function isEcwebInstanceFile(file) {
+    return /^(ecweb|watch-web)-\d+\.json$/.test(file);
 }
-export function writeWatchWeb(port) {
+function ecwebFile(pid) {
+    return path.join(instanceDir(), `ecweb-${pid}.json`);
+}
+export function writeEcweb(port) {
     const dir = instanceDir();
     fs.mkdirSync(dir, { recursive: true });
     const startedAt = getProcessStartTime(process.pid) ?? Date.now();
     const record = { pid: process.pid, startedAt, startedAtIso: new Date(startedAt).toISOString(), port };
-    const filePath = watchWebFile(process.pid);
+    const filePath = ecwebFile(process.pid);
     const tmp = filePath + '.tmp';
     fs.writeFileSync(tmp, JSON.stringify(record, null, 2));
     fs.renameSync(tmp, filePath);
     return filePath;
 }
-export function removeWatchWeb(pid) {
-    try {
-        fs.unlinkSync(watchWebFile(pid ?? process.pid));
+export function removeEcweb(pid) {
+    const target = pid ?? process.pid;
+    const dir = instanceDir();
+    for (const prefix of ['ecweb', 'watch-web']) {
+        try {
+            fs.unlinkSync(path.join(dir, `${prefix}-${target}.json`));
+        }
+        catch { }
     }
-    catch { }
 }
 function safeParseJson(filePath) {
     try {
@@ -180,10 +187,11 @@ function safeParseJson(filePath) {
     }
 }
 /**
- * 杀掉所有非自己 PID 的存活 watch-web 进程并清理文件。
+ * 杀掉所有非自己 PID 的存活 ecweb 进程并清理文件。
+ * 兼容清理迁移前遗留的 watch-web-*.json。
  * 用启动时间比对防 PID 复用。返回被杀的记录列表。
  */
-export function cleanupWatchWebs() {
+export function cleanupEcwebs() {
     const dir = instanceDir();
     if (!fs.existsSync(dir))
         return [];
@@ -196,7 +204,7 @@ export function cleanupWatchWebs() {
     }
     const killed = [];
     for (const file of files) {
-        if (!file.startsWith('watch-web-') || !file.endsWith('.json'))
+        if (!isEcwebInstanceFile(file))
             continue;
         const filePath = path.join(dir, file);
         const record = safeParseJson(filePath);
@@ -217,7 +225,7 @@ export function cleanupWatchWebs() {
  * 兜底：按端口找占用进程，确认是 ecweb 进程后 SIGKILL。
  * 用于清理 instance 文件已丢失的孤儿进程（杀不掉的僵尸）。返回被杀的 PID 列表。
  */
-export function cleanupWatchWebByPort(port) {
+export function cleanupEcwebByPort(port) {
     const killed = [];
     for (const pid of findPidByPort(port)) {
         if (pid === process.pid || !isProcessRunning(pid))

package/dist/server.js

@@ -3,7 +3,7 @@
  *
  * - HTTP: 静态资源 + 配对 API
  * - WebSocket: 订阅式实时推送（aid / msg / session）
- * - 鉴权: 6 位配对码（5 分钟有效）→ token（24h，有访问自动续期），持久化到磁盘
+ * - 鉴权: 6 位配对码（5 分钟有效）→ token（30 天，有访问自动续期），持久化到磁盘
  * - 安全: 绑定 0.0.0.0（支持远程访问），token 校验，只读
  *
  * 与 evolclaw 的唯一通信：启动时发 ping 检查 protocolVersion（soft 校验）。
@@ -12,6 +12,7 @@ import http from 'http';
 import fs from 'fs';
 import path from 'path';
 import crypto from 'crypto';
+import { spawnSync } from 'child_process';
 import { fileURLToPath } from 'url';
 import { WebSocketServer } from 'ws';
 import { resolvePaths } from './paths.js';
@@ -19,20 +20,22 @@ import { ipcQuery } from './ipc-client.js';
 import { setDebugLog, dlog } from './debug-log.js';
 import { aidSource } from './sources/aid.js';
 import { msgSource } from './sources/msg.js';
-import { sessionSource } from './sources/session.js';
+import { sessionSource, buildBindMap } from './sources/session.js';
 import { cacheSource } from './sources/cache.js';
 import { systemSource } from './sources/system.js';
 import { triggersSource } from './sources/triggers.js';
-import { queryStatsForDashboard, queryStatsExplorer, queryStatsByPeer, queryStatsByAgent, queryStatsOverview } from './sources/stats.js';
+import { monitorSource } from './sources/monitor.js';
+import { gatewaySource } from './sources/gateway.js';
+import { queryStatsForDashboard, queryStatsExplorer, queryStatsByPeer, queryStatsOverview, queryUsageDetail, queryUsedModels } from './sources/stats.js';
 import { getSessionsAunDir, listLocalAids, listPeers, readMessages } from './fs-utils.js';
 import { ccProjectsDir } from './paths.js';
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const STATIC_DIR = path.join(__dirname, 'static');
-const TOKEN_TTL_MS = 24 * 60 * 60 * 1000; // 24h
+const TOKEN_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30天（滑动窗口：每次有效访问刷新 lastActive 自动续期）
 const PAIRING_TTL_MS = 5 * 60 * 1000; // 5min
 const DEFAULT_PORT = 42705;
 const PROTOCOL_VERSION = 1; // 与 evolclaw ping response 对齐的软校验版本
-const SOURCES = { agents: aidSource, msg: msgSource, session: sessionSource, cache: cacheSource, system: systemSource, triggers: triggersSource };
+const SOURCES = { agents: aidSource, msg: msgSource, session: sessionSource, cache: cacheSource, system: systemSource, triggers: triggersSource, monitor: monitorSource, gateway: gatewaySource };
 // ECWeb 自身版本：渲染 System 页时随快照下发（不走 daemon IPC，ECWeb 就是这个进程）。
 function readEcwebVersion() {
     try {
@@ -52,7 +55,16 @@ const MIME = {
     '.svg': 'image/svg+xml',
 };
 function tokenStorePath() {
-    return path.join(resolvePaths().instanceDir, 'watch-web-tokens.json');
+    const dir = resolvePaths().instanceDir;
+    const current = path.join(dir, 'ecweb-tokens.json');
+    const legacy = path.join(dir, 'watch-web-tokens.json');
+    if (!fs.existsSync(current) && fs.existsSync(legacy)) {
+        try {
+            fs.renameSync(legacy, current);
+        }
+        catch { }
+    }
+    return current;
 }
 function loadTokens() {
     try {
@@ -93,6 +105,26 @@ function validateAndRenew(token, now) {
     return false;
 }
 // ── Static ──
+// 经 AUN Service Proxy 转发时，proxy-server 注入 x-forwarded-prefix 头，
+// 值为外部前缀（如 /evolai/ecweb）。把它作为 <base href> 注入 index.html，
+// 使相对路径资源（style.css / app.js / api / ws）在带不带尾斜杠时都正确解析。
+// 本地直连无此头，<base> 注入为 "/"，行为不变。
+function forwardedPrefix(req) {
+    const raw = req.headers['x-forwarded-prefix'];
+    const value = (Array.isArray(raw) ? raw[0] : raw || '').trim();
+    // 安全：只接受形如 /a/b 的简单路径，拒绝含协议、双斜杠、引号、尖括号等的值
+    if (!value || !/^\/[A-Za-z0-9._~%/-]*$/.test(value))
+        return '';
+    return value.replace(/\/+$/, ''); // 去尾斜杠，注入时统一补
+}
+function injectBaseHref(html, prefix) {
+    const base = prefix ? `${prefix}/` : '/';
+    const tag = `<base href="${base}">`;
+    // 若已有 <base> 则替换，否则插在 <head> 之后
+    if (/<base\b[^>]*>/i.test(html))
+        return html.replace(/<base\b[^>]*>/i, tag);
+    return html.replace(/<head[^>]*>/i, (m) => `${m}\n  ${tag}`);
+}
 function serveStatic(req, res) {
     let urlPath = (req.url || '/').split('?')[0];
     if (urlPath === '/')
@@ -108,7 +140,16 @@ function serveStatic(req, res) {
             res.writeHead(404).end('Not Found');
             return;
         }
-        res.writeHead(200, { 'Content-Type': MIME[path.extname(file)] || 'application/octet-stream' });
+        const ext = path.extname(file);
+        // index.html 注入 <base href>，适配 AUN Service Proxy 前缀
+        if (ext === '.html') {
+            const prefix = forwardedPrefix(req);
+            const html = injectBaseHref(data.toString('utf-8'), prefix);
+            res.writeHead(200, { 'Content-Type': MIME[ext] });
+            res.end(html);
+            return;
+        }
+        res.writeHead(200, { 'Content-Type': MIME[ext] || 'application/octet-stream' });
         res.end(data);
     });
 }
@@ -172,40 +213,97 @@ function handleStatsApi(req, res) {
         res.end(JSON.stringify(data));
     }
     else if (urlPath === '/api/stats/agents') {
+        // 返回所有agent列表（与智能体管理页面一致，从aidSource获取）
+        aidSource.snapshot().then(snapshot => {
+            const agents = (snapshot?.agents || []).map((ag) => ({
+                agent_aid: ag.aid,
+                agent_name: ag.displayName || null
+            }));
+            res.writeHead(200);
+            res.end(JSON.stringify(agents));
+        }).catch(err => {
+            res.writeHead(500);
+            res.end(JSON.stringify({ error: 'Failed to fetch agents' }));
+        });
+        return;
+    }
+    else if (urlPath === '/api/stats/overview') {
+        // 从查询参数中获取时间范围和筛选条件
         const params = {};
         if (query.from)
             params.from_ts = Number(query.from);
         if (query.to)
             params.to_ts = Number(query.to);
-        if (query.limit)
-            params.limit = Number(query.limit);
-        const data = queryStatsByAgent(params);
-        res.writeHead(200);
-        res.end(JSON.stringify(data));
-    }
-    else if (urlPath === '/api/stats/overview') {
-        const tokenStats = queryStatsOverview();
-        // session count: scan all CC project dirs
+        if (query.agent)
+            params.agent_aid = String(query.agent);
+        if (query.peer)
+            params.peer_key = String(query.peer);
+        const tokenStats = queryStatsOverview(params);
+        // session count: 使用 bindMap 按 agent 和 peer 筛选
         let sessionCount = 0;
         try {
+            // 构建 agentSessionId → agent_aid 的映射
+            const bindMap = buildBindMap();
+            // 如果指定了 peer_key，提取并解码 channelId
+            let targetChannelId;
+            if (params.peer_key) {
+                const parts = params.peer_key.split('#');
+                if (parts.length >= 4) {
+                    // aun#{agent}#main#{channelId}，需要解码 URL 编码
+                    targetChannelId = decodeURIComponent(parts[3]);
+                }
+            }
             const base = ccProjectsDir();
             for (const d of fs.readdirSync(base, { withFileTypes: true })) {
                 if (!d.isDirectory())
                     continue;
+                const projectDir = path.join(base, d.name);
                 try {
-                    sessionCount += fs.readdirSync(path.join(base, d.name)).filter(f => f.endsWith('.jsonl')).length;
+                    const sessionFiles = fs.readdirSync(projectDir).filter(f => f.endsWith('.jsonl'));
+                    for (const sessionFile of sessionFiles) {
+                        const sessionId = sessionFile.replace('.jsonl', '');
+                        // 如果指定了 agent 或 peer，检查该会话是否匹配
+                        if (params.agent_aid || targetChannelId) {
+                            const bindInfo = bindMap.get(sessionId);
+                            if (!bindInfo)
+                                continue;
+                            // 检查 agent
+                            if (params.agent_aid && bindInfo.selfAID !== params.agent_aid)
+                                continue;
+                            // 检查 peer
+                            if (targetChannelId && bindInfo.channelId !== targetChannelId)
+                                continue;
+                        }
+                        // 如果有时间范围限制，检查会话文件的修改时间
+                        if (params.from_ts || params.to_ts) {
+                            const stat = fs.statSync(path.join(projectDir, sessionFile));
+                            const mtime = stat.mtimeMs;
+                            if (params.from_ts && mtime < params.from_ts)
+                                continue;
+                            if (params.to_ts && mtime > params.to_ts)
+                                continue;
+                        }
+                        sessionCount++;
+                    }
                 }
                 catch { }
             }
         }
         catch { }
-        // message counts: scan aun dir
+        // message counts: scan aun dir, 根据时间范围和 agent/peer 过滤
         let msgIn = 0, msgOut = 0;
         try {
             const aunDir = getSessionsAunDir();
-            for (const aid of listLocalAids(aunDir)) {
-                for (const peer of listPeers(aunDir, aid)) {
+            const aids = params.agent_aid ? [params.agent_aid] : listLocalAids(aunDir);
+            for (const aid of aids) {
+                const peers = params.peer_key ? [params.peer_key] : listPeers(aunDir, aid);
+                for (const peer of peers) {
                     for (const m of readMessages(aunDir, aid, peer)) {
+                        // 根据消息时间戳过滤
+                        if (params.from_ts && m.ts < params.from_ts)
+                            continue;
+                        if (params.to_ts && m.ts > params.to_ts)
+                            continue;
                         if (m.dir === 'in')
                             msgIn++;
                         else
@@ -218,6 +316,34 @@ function handleStatsApi(req, res) {
         res.writeHead(200);
         res.end(JSON.stringify({ token_stats: tokenStats, session_count: sessionCount, msg_in: msgIn, msg_out: msgOut }));
     }
+    else if (urlPath === '/api/stats/detail') {
+        // 模型访问明细查询
+        const params = {};
+        if (query.from)
+            params.from_ts = Number(query.from);
+        if (query.to)
+            params.to_ts = Number(query.to);
+        if (query.agent)
+            params.agent_aid = query.agent;
+        if (query.model)
+            params.model = String(query.model);
+        params.limit = Number(query.limit) || 50; // 默认限制50条
+        params.offset = Number(query.offset) || 0; // 默认从0开始
+        const result = queryUsageDetail(params);
+        res.writeHead(200);
+        res.end(JSON.stringify(result));
+    }
+    else if (urlPath === '/api/stats/models') {
+        // 获取指定时间范围内使用过的模型列表
+        const params = {};
+        if (query.from)
+            params.from_ts = Number(query.from);
+        if (query.to)
+            params.to_ts = Number(query.to);
+        const models = queryUsedModels(params);
+        res.writeHead(200);
+        res.end(JSON.stringify(models));
+    }
     else {
         res.writeHead(404);
         res.end(JSON.stringify({ error: 'not found' }));
@@ -235,6 +361,18 @@ function isLocalhost(req) {
     const addr = req.socket.remoteAddress || '';
     return addr === '127.0.0.1' || addr === '::1' || addr === '::ffff:127.0.0.1';
 }
+/**
+ * 判定「真本地直连」：socket 地址是回环 AND 无 x-aun-provider-aid 头。
+ * proxy-server 回连本地时 remoteAddress 也是 127.0.0.1，但会注入 x-aun-provider-aid
+ * 可信头（访客伪造的 x-aun-* 会被 proxy-server 剥掉）。只有真本地直连时两条件同时满足。
+ * 真本地直连免配对（自动发 token），隧道/远程需配对码。
+ */
+function isLocalDirect(req) {
+    if (!isLocalhost(req))
+        return false;
+    const providerAid = req.headers['x-aun-provider-aid'];
+    return !providerAid || (Array.isArray(providerAid) ? providerAid.length === 0 : !providerAid.trim());
+}
 function genPairingCode() {
     return String(crypto.randomInt(0, 1000000)).padStart(6, '0');
 }
@@ -267,9 +405,26 @@ function handlePair(req, res, pairingCode, pairingExpiry, log) {
         store.tokens.push({ token, createdAt: now, lastActive: now, label: ip });
         saveTokens(store);
         res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({ ok: true, token }));
-        log(`✓ 配对成功 from ${ip}（token 缓存 24h）`);
+        log(`✓ 配对成功 from ${ip}（token 缓存 30 天，有访问自动续期）`);
     });
 }
+/**
+ * 本地直连免配对：自动发 token。远程（隧道或真远程）需配对码。
+ * 本地直连判定：socket 来源是回环 AND 无 x-aun-provider-aid 头（非隧道）。
+ */
+function issueLocalDirectToken(req, log) {
+    if (!isLocalDirect(req))
+        return null;
+    const now = Date.now();
+    const token = crypto.randomBytes(32).toString('hex');
+    const store = loadTokens();
+    pruneExpired(store, now);
+    const ip = clientIp(req);
+    store.tokens.push({ token, createdAt: now, lastActive: now, label: `local-direct:${ip}` });
+    saveTokens(store);
+    log(`✓ 本地直连自动授权 from ${ip}`);
+    return token;
+}
 // ── WebSocket connection ──
 function handleConnection(ws, req, log) {
     const ip = clientIp(req);
@@ -372,19 +527,69 @@ function handleConnection(ws, req, log) {
     ws.on('error', () => { });
 }
 // ── Port binding ──
-function bindPort(server, preferred) {
+/** 跨平台：查端口上的 LISTENING 进程 PID（清理被占端口用）。 */
+function findPidsOnPort(port) {
+    const pids = new Set();
+    try {
+        if (process.platform === 'win32') {
+            const out = spawnSync('netstat', ['-ano', '-p', 'TCP'], { encoding: 'utf-8', windowsHide: true }).stdout || '';
+            for (const line of out.split('\n')) {
+                if (!/LISTENING/i.test(line))
+                    continue;
+                const m = line.match(/:(\d+)\s+\S+\s+LISTENING\s+(\d+)/i);
+                if (m && Number(m[1]) === port) {
+                    const pid = Number(m[2]);
+                    if (pid && pid !== process.pid)
+                        pids.add(pid);
+                }
+            }
+        }
+        else {
+            const out = spawnSync('lsof', ['-ti', `tcp:${port}`, '-sTCP:LISTEN'], { encoding: 'utf-8' }).stdout || '';
+            for (const l of out.split('\n')) {
+                const pid = parseInt(l.trim(), 10);
+                if (pid && pid !== process.pid)
+                    pids.add(pid);
+            }
+        }
+    }
+    catch { /* netstat/lsof 缺失或无匹配 */ }
+    return [...pids];
+}
+/** 杀掉占用目标端口的旧进程（强制）。 */
+function killPidsOnPort(port, log) {
+    let killed = false;
+    for (const pid of findPidsOnPort(port)) {
+        try {
+            if (process.platform === 'win32')
+                spawnSync('taskkill', ['/PID', String(pid), '/F'], { windowsHide: true });
+            else
+                process.kill(pid, 'SIGKILL');
+            log(`⚠ 端口 ${port} 被旧进程 PID ${pid} 占用，已终止`);
+            killed = true;
+        }
+        catch { /* 已退出或无权限 */ }
+    }
+    return killed;
+}
+function sleepMs(ms) { return new Promise(r => setTimeout(r, ms)); }
+function bindPort(server, preferred, log) {
     return new Promise((resolve, reject) => {
-        let attempt = 0;
+        let killedOnce = false;
         const tryBind = (port) => {
-            server.once('error', (err) => {
-                if (err.code === 'EADDRINUSE' && attempt < 10) {
-                    attempt++;
-                    tryBind(port + 1);
+            server.once('error', async (err) => {
+                if (err.code === 'EADDRINUSE' && !killedOnce) {
+                    // 默认行为：杀掉占用端口的旧进程并重试本端口（而非 +1 漂移），避免端口被占。
+                    killedOnce = true;
+                    killPidsOnPort(port, log);
+                    await sleepMs(600);
+                    tryBind(port);
                 }
-                else
+                else {
                     reject(err);
+                }
             });
-            server.listen(port, '0.0.0.0', () => resolve({ port, displaced: port !== preferred }));
+            server.listen(port, '0.0.0.0', () => resolve({ port, displaced: false }));
         };
         tryBind(preferred);
     });
@@ -410,8 +615,10 @@ export async function startWatchWebServer(opts = {}) {
     }
     const server = http.createServer((req, res) => {
         if (req.method === 'GET' && (req.url || '') === '/api/pair-code') {
-            // 仅 localhost 可取码：远程浏览器拿不到，必须由同机的 `ec watch web` 显示给用户
-            if (!isLocalhost(req)) {
+            // 取码 API：仅真本地直连可用（socket 回环 + 无 x-aun-provider-aid）。
+            // 隧道回连虽然 socket 也是 127.0.0.1，但有 x-aun-provider-aid 头 → 拒绝，
+            // 防止远程访客通过隧道拿到配对码（安全漏洞）。
+            if (!isLocalDirect(req)) {
                 res.writeHead(403, { 'Content-Type': 'application/json' });
                 res.end(JSON.stringify({ error: 'forbidden' }));
                 return;
@@ -421,15 +628,27 @@ export async function startWatchWebServer(opts = {}) {
             res.end(JSON.stringify({ code, expiresAt }));
         }
         else if (req.method === 'POST' && (req.url || '').startsWith('/api/pair')) {
+            // 配对 API：远程（隧道/真远程）需要配对码；本地直连自动发 token 跳过配对。
+            const autoToken = issueLocalDirectToken(req, log);
+            if (autoToken) {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ ok: true, token: autoToken }));
+                return;
+            }
             handlePair(req, res, pairingCode, pairingExpiry, log);
         }
         else if (req.method === 'GET' && (req.url || '').startsWith('/api/stats/')) {
-            // Stats API — requires auth
+            // Stats API — 本地直连自动发 token（免鉴权），远程需鉴权
             const authHeader = req.headers.authorization || '';
             const bearerToken = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
             const { query } = parseUrl(req.url || '');
-            const token = bearerToken || query.token || '';
-            if (!validateAndRenew(token, Date.now())) {
+            let token = bearerToken || query.token || '';
+            if (!token) {
+                const autoToken = issueLocalDirectToken(req, log);
+                if (autoToken)
+                    token = autoToken;
+            }
+            if (!token || !validateAndRenew(token, Date.now())) {
                 res.writeHead(401, { 'Content-Type': 'application/json' });
                 res.end(JSON.stringify({ error: 'unauthorized' }));
                 return;
@@ -443,7 +662,8 @@ export async function startWatchWebServer(opts = {}) {
     const wss = new WebSocketServer({ noServer: true });
     server.on('upgrade', (req, socket, head) => {
         const { query } = parseUrl(req.url || '');
-        const authed = validateAndRenew(query.token || '', Date.now());
+        // 本地直连免 token；远程需 token。
+        const authed = isLocalDirect(req) || validateAndRenew(query.token || '', Date.now());
         wss.handleUpgrade(req, socket, head, (ws) => {
             if (!authed) {
                 log(`✗ WS 拒绝（无效 token） from ${clientIp(req)}`);
@@ -453,7 +673,7 @@ export async function startWatchWebServer(opts = {}) {
             handleConnection(ws, req, log);
         });
     });
-    const { port, displaced } = await bindPort(server, opts.port ?? DEFAULT_PORT);
+    const { port, displaced } = await bindPort(server, opts.port ?? DEFAULT_PORT, log);
     return {
         url: `http://0.0.0.0:${port}`,
         port,

package/dist/sources/aid.js

@@ -64,13 +64,31 @@ function scanAidActivity() {
     }
     return result;
 }
+// evolclaw 版本：与 watch aid 状态栏一致。daemon 进程级、整轮 watch 不变，
+// 故缓存一次（首次 menu.query name=system 拿到后复用），避免每秒多发一次 IPC。
+let _cachedVersion = null;
+async function fetchVersion(socket) {
+    if (_cachedVersion)
+        return _cachedVersion;
+    try {
+        const r = await ipcQuery(socket, { type: 'menu.exec', payload: { type: 'menu.query', id: 'aid-sys-q', name: 'system' } }, 4000);
+        const v = r?.ok ? r.response?.data?.version : null;
+        if (v)
+            _cachedVersion = v;
+        return v ?? null;
+    }
+    catch {
+        return null;
+    }
+}
 async function buildSnapshot() {
     const p = resolvePaths();
-    const [aidsResp, statsResp, statusResp, agentsResp] = await Promise.all([
+    const [aidsResp, statsResp, statusResp, agentsResp, version] = await Promise.all([
         ipcQuery(p.socket, { type: 'aun-aids' }),
         ipcQuery(p.socket, { type: 'aun-aid-stats' }),
         ipcQuery(p.socket, { type: 'status' }),
         ipcQuery(p.socket, { type: 'evolagent.list' }),
+        fetchVersion(p.socket),
     ]);
     const daemonRunning = aidsResp !== null || statusResp !== null;
     if (!daemonRunning) {
@@ -89,6 +107,7 @@ async function buildSnapshot() {
         stats: statsResp?.stats ?? [],
         status: statusResp ?? null,
         agents: agentsResp?.agents ?? [],
+        version: version ?? null,
     };
 }
 export const aidSource = {

package/dist/sources/gateway.js

@@ -0,0 +1,44 @@
+/**
+ * gateway.ts — 网关（baseagent 后端）配置数据源（只读代理）。
+ *
+ * ECWeb 不直接读写配置文件。snapshot 通过 daemon 的 menu.exec IPC 调
+ * menu.query name=gateway，由 daemon 端的 command-handler-gateway-control 统一
+ * 出数据（apiKey 已掩码）。写操作（update/test/delete）走前端 menuSend → menu IPC，
+ * 不经过本 source。
+ *
+ * 连不上 daemon 时返回 { gateways: [], error } 让前端提示。
+ */
+import { resolvePaths } from '../paths.js';
+import { ipcQuery } from '../ipc-client.js';
+async function getSnapshot() {
+    const sock = resolvePaths().socket;
+    const resp = await ipcQuery(sock, { type: 'menu.exec', payload: { type: 'menu.query', name: 'gateway', id: 'ecw-gateway-snap' } }, 5000);
+    if (!resp) {
+        return { gateways: [], scopes: [], types: [], error: 'evolclaw 未运行或 socket 不可达' };
+    }
+    if (!resp.ok) {
+        return { gateways: [], scopes: [], types: [], error: resp.error || 'daemon 返回失败' };
+    }
+    const inner = resp.response;
+    if (inner?.error) {
+        return { gateways: [], scopes: [], types: [], error: inner.error.message };
+    }
+    const data = inner?.data ?? {};
+    return {
+        gateways: Array.isArray(data.gateways) ? data.gateways : [],
+        scopes: Array.isArray(data.scopes) ? data.scopes : [],
+        types: Array.isArray(data.types) ? data.types : [],
+        effective: Array.isArray(data.effective) ? data.effective : [],
+        envMismatch: data.envMismatch || { hasMismatch: false, mismatches: [] },
+    };
+}
+export const gatewaySource = {
+    kind: 'gateway',
+    async snapshot() {
+        return getSnapshot();
+    },
+    subscribe(_params, _push) {
+        // 网关配置变更不频繁，无文件监听；前端通过操作后主动 re-subscribe 刷新。
+        return () => { };
+    },
+};