smartcontext-proxy 0.1.0 → 0.2.0

package/src/system/linux.ts

@@ -0,0 +1,57 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+
+/** Configure Linux system proxy */
+export function setSystemProxy(host: string, port: number): { success: boolean; message: string } {
+  const proxyUrl = `http://${host}:${port}`;
+
+  try {
+    // Try GNOME settings
+    try {
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy', 'mode', "'manual'"], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.http', 'host', `'${host}'`], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.http', 'port', String(port)], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.https', 'host', `'${host}'`], { stdio: 'pipe' });
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy.https', 'port', String(port)], { stdio: 'pipe' });
+    } catch {}
+
+    // Write environment file for shell sessions
+    const envFile = '/etc/profile.d/smartcontext-proxy.sh';
+    const content = `# SmartContext Proxy - auto-generated
+export http_proxy="${proxyUrl}"
+export https_proxy="${proxyUrl}"
+export HTTP_PROXY="${proxyUrl}"
+export HTTPS_PROXY="${proxyUrl}"
+export no_proxy="localhost,127.0.0.1,::1"
+`;
+    try {
+      execFileSync('sudo', ['tee', envFile], { input: content, stdio: ['pipe', 'pipe', 'pipe'] });
+    } catch {}
+
+    return { success: true, message: `System proxy set to ${proxyUrl}` };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Clear Linux system proxy */
+export function clearSystemProxy(): { success: boolean; message: string } {
+  try {
+    try {
+      execFileSync('gsettings', ['set', 'org.gnome.system.proxy', 'mode', "'none'"], { stdio: 'pipe' });
+    } catch {}
+
+    try {
+      execFileSync('sudo', ['rm', '-f', '/etc/profile.d/smartcontext-proxy.sh'], { stdio: 'pipe' });
+    } catch {}
+
+    return { success: true, message: 'System proxy cleared' };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+export function isProxyConfigured(port: number): boolean {
+  const proxyEnv = process.env['https_proxy'] || process.env['HTTPS_PROXY'] || '';
+  return proxyEnv.includes(String(port));
+}

package/src/system/macos.ts

@@ -0,0 +1,89 @@
+import { execFileSync } from 'node:child_process';
+
+/** Get active network interface name (e.g., "Wi-Fi", "Ethernet") */
+export function getActiveInterface(): string {
+  try {
+    const route = execFileSync('route', ['-n', 'get', 'default'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const ifMatch = route.match(/interface:\s*(\S+)/);
+    if (!ifMatch) return 'Wi-Fi';
+
+    const ifName = ifMatch[1];
+    // Map interface ID to service name
+    const services = execFileSync('networksetup', ['-listallhardwareports'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const lines = services.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      if (lines[i].includes(`Device: ${ifName}`)) {
+        const nameLine = lines[i - 1];
+        const nameMatch = nameLine?.match(/Hardware Port:\s*(.+)/);
+        if (nameMatch) return nameMatch[1];
+      }
+    }
+    return 'Wi-Fi';
+  } catch {
+    return 'Wi-Fi';
+  }
+}
+
+/** Configure macOS system proxy to use SmartContext */
+export function setSystemProxy(host: string, port: number): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    // Set HTTPS proxy
+    execFileSync('networksetup', ['-setsecurewebproxy', iface, host, String(port)], { stdio: 'pipe' });
+    // Set HTTP proxy
+    execFileSync('networksetup', ['-setwebproxy', iface, host, String(port)], { stdio: 'pipe' });
+    // Enable them
+    execFileSync('networksetup', ['-setsecurewebproxystate', iface, 'on'], { stdio: 'pipe' });
+    execFileSync('networksetup', ['-setwebproxystate', iface, 'on'], { stdio: 'pipe' });
+
+    return { success: true, message: `System proxy set to ${host}:${port} on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed to set proxy on ${iface}: ${err}` };
+  }
+}
+
+/** Remove system proxy configuration */
+export function clearSystemProxy(): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    execFileSync('networksetup', ['-setsecurewebproxystate', iface, 'off'], { stdio: 'pipe' });
+    execFileSync('networksetup', ['-setwebproxystate', iface, 'off'], { stdio: 'pipe' });
+    return { success: true, message: `System proxy cleared on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed to clear proxy on ${iface}: ${err}` };
+  }
+}
+
+/** Set PAC URL as auto-proxy configuration */
+export function setAutoproxyURL(pacUrl: string): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    execFileSync('networksetup', ['-setautoproxyurl', iface, pacUrl], { stdio: 'pipe' });
+    execFileSync('networksetup', ['-setautoproxystate', iface, 'on'], { stdio: 'pipe' });
+    return { success: true, message: `Auto-proxy URL set to ${pacUrl} on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Clear auto-proxy configuration */
+export function clearAutoproxyURL(): { success: boolean; message: string } {
+  const iface = getActiveInterface();
+  try {
+    execFileSync('networksetup', ['-setautoproxystate', iface, 'off'], { stdio: 'pipe' });
+    return { success: true, message: `Auto-proxy cleared on ${iface}` };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}` };
+  }
+}
+
+/** Check if system proxy is currently set to SmartContext */
+export function isProxyConfigured(port: number): boolean {
+  const iface = getActiveInterface();
+  try {
+    const info = execFileSync('networksetup', ['-getsecurewebproxy', iface], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    return info.includes(`Port: ${port}`) && info.includes('Enabled: Yes');
+  } catch {
+    return false;
+  }
+}

package/src/system/watchdog.ts

@@ -0,0 +1,76 @@
+import http from 'node:http';
+import * as macos from './macos.js';
+import * as linux from './linux.js';
+
+const CHECK_INTERVAL = 10_000; // 10 seconds
+let watchdogTimer: NodeJS.Timeout | null = null;
+let port = 4800;
+
+/**
+ * Start watchdog that monitors proxy health.
+ * If proxy becomes unreachable, auto-removes system proxy config
+ * to prevent breaking the user's internet.
+ */
+export function startWatchdog(proxyPort: number): void {
+  port = proxyPort;
+
+  watchdogTimer = setInterval(() => {
+    checkHealth().catch(() => {
+      console.log('[watchdog] Proxy unreachable — clearing system proxy');
+      emergencyClearProxy();
+      stopWatchdog();
+    });
+  }, CHECK_INTERVAL);
+
+  // Also clear proxy on process exit
+  process.on('exit', emergencyClearProxy);
+  process.on('uncaughtException', (err) => {
+    console.error('[watchdog] Uncaught exception:', err);
+    emergencyClearProxy();
+    process.exit(1);
+  });
+  process.on('unhandledRejection', (err) => {
+    console.error('[watchdog] Unhandled rejection:', err);
+  });
+}
+
+export function stopWatchdog(): void {
+  if (watchdogTimer) {
+    clearInterval(watchdogTimer);
+    watchdogTimer = null;
+  }
+}
+
+function checkHealth(): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const req = http.get(`http://127.0.0.1:${port}/health`, { timeout: 5000 }, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => {
+        try {
+          const parsed = JSON.parse(data);
+          if (parsed.ok) resolve();
+          else reject(new Error('Health check failed'));
+        } catch {
+          reject(new Error('Invalid health response'));
+        }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error('Health check timeout'));
+    });
+  });
+}
+
+function emergencyClearProxy(): void {
+  try {
+    if (process.platform === 'darwin') {
+      macos.clearAutoproxyURL();
+      macos.clearSystemProxy();
+    } else {
+      linux.clearSystemProxy();
+    }
+  } catch {}
+}

package/src/test/connect-proxy.test.ts

@@ -0,0 +1,170 @@
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import http from 'node:http';
+import https from 'node:https';
+import net from 'node:net';
+import tls from 'node:tls';
+import fs from 'node:fs';
+import { ConnectProxy } from '../proxy/connect-proxy.js';
+import { buildConfig } from '../config/auto-detect.js';
+import { ensureCA, getCACertPath } from '../tls/ca-manager.js';
+import { classifyHost } from '../proxy/classifier.js';
+
+function httpRequest(
+  url: string,
+  options: http.RequestOptions,
+): Promise<{ status: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    const req = http.request(url, options, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => resolve({ status: res.statusCode || 0, body: data }));
+    });
+    req.on('error', reject);
+    req.end();
+  });
+}
+
+describe('Traffic Classifier', () => {
+  it('identifies Anthropic as LLM', () => {
+    const match = classifyHost('api.anthropic.com', 443);
+    assert.ok(match);
+    assert.strictEqual(match.provider, 'anthropic');
+  });
+
+  it('identifies OpenAI as LLM', () => {
+    const match = classifyHost('api.openai.com', 443);
+    assert.ok(match);
+    assert.strictEqual(match.provider, 'openai');
+  });
+
+  it('identifies Ollama local as LLM', () => {
+    const match = classifyHost('localhost', 11434);
+    assert.ok(match);
+    assert.strictEqual(match.provider, 'ollama');
+  });
+
+  it('returns null for non-LLM hosts', () => {
+    assert.strictEqual(classifyHost('google.com', 443), null);
+    assert.strictEqual(classifyHost('github.com', 443), null);
+    assert.strictEqual(classifyHost('localhost', 3000), null);
+  });
+
+  it('identifies all known providers', () => {
+    const providers = [
+      ['api.anthropic.com', 'anthropic'],
+      ['api.openai.com', 'openai'],
+      ['generativelanguage.googleapis.com', 'google'],
+      ['openrouter.ai', 'openrouter'],
+      ['api.groq.com', 'groq'],
+      ['api.deepseek.com', 'deepseek'],
+    ] as const;
+
+    for (const [host, expected] of providers) {
+      const match = classifyHost(host, 443);
+      assert.ok(match, `Should match ${host}`);
+      assert.strictEqual(match.provider, expected);
+    }
+  });
+});
+
+describe('CA Manager', () => {
+  it('generates CA cert on first call', () => {
+    const result = ensureCA();
+    assert.ok(result.cert.includes('BEGIN CERTIFICATE'));
+    assert.ok(result.key.includes('BEGIN RSA PRIVATE KEY'));
+  });
+
+  it('returns same cert on subsequent calls', () => {
+    const a = ensureCA();
+    const b = ensureCA();
+    assert.strictEqual(a.cert, b.cert);
+  });
+
+  it('CA cert file exists on disk', () => {
+    assert.ok(fs.existsSync(getCACertPath()));
+  });
+});
+
+describe('CONNECT Proxy', () => {
+  let proxy: ConnectProxy;
+  const PROXY_PORT = 14820;
+
+  before(async () => {
+    ensureCA();
+    const config = buildConfig({ proxy: { port: PROXY_PORT, host: '127.0.0.1' } });
+    config.logging.level = 'error';
+    proxy = new ConnectProxy(config);
+    await proxy.start();
+  });
+
+  after(async () => {
+    await proxy.stop();
+  });
+
+  it('serves dashboard at root', async () => {
+    const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/`, { method: 'GET' });
+    assert.strictEqual(res.status, 200);
+    assert.ok(res.body.includes('SmartContext'));
+  });
+
+  it('serves health endpoint', async () => {
+    const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/health`, { method: 'GET' });
+    assert.strictEqual(res.status, 200);
+    const data = JSON.parse(res.body);
+    assert.strictEqual(data.ok, true);
+    assert.strictEqual(data.type, 'connect-proxy');
+  });
+
+  it('serves PAC file', async () => {
+    const res = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/proxy.pac`, { method: 'GET' });
+    assert.strictEqual(res.status, 200);
+    assert.ok(res.body.includes('FindProxyForURL'));
+    assert.ok(res.body.includes('api.anthropic.com'));
+    assert.ok(res.body.includes('api.openai.com'));
+  });
+
+  it('API endpoints work', async () => {
+    const status = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/_sc/status`, { method: 'GET' });
+    assert.strictEqual(JSON.parse(status.body).state, 'running');
+
+    const stats = await httpRequest(`http://127.0.0.1:${PROXY_PORT}/_sc/stats`, { method: 'GET' });
+    assert.strictEqual(JSON.parse(stats.body).totalRequests, 0);
+  });
+
+  it('handles CONNECT to non-LLM host (tunnel)', async () => {
+    // Create a simple target server
+    const targetServer = http.createServer((req, res) => {
+      res.writeHead(200);
+      res.end('target-ok');
+    });
+    await new Promise<void>((r) => targetServer.listen(14821, '127.0.0.1', r));
+
+    // Send CONNECT through proxy
+    const tunnelOk = await new Promise<boolean>((resolve) => {
+      const req = http.request({
+        host: '127.0.0.1',
+        port: PROXY_PORT,
+        method: 'CONNECT',
+        path: '127.0.0.1:14821',
+      });
+
+      req.on('connect', (res, socket) => {
+        // Send HTTP request through tunnel
+        socket.write('GET / HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n');
+        let data = '';
+        socket.on('data', (chunk) => { data += chunk; });
+        socket.on('end', () => {
+          socket.destroy();
+          resolve(data.includes('target-ok'));
+        });
+      });
+
+      req.on('error', () => resolve(false));
+      req.end();
+    });
+
+    targetServer.close();
+    assert.ok(tunnelOk, 'Should tunnel non-LLM traffic');
+  });
+});

package/src/tls/ca-manager.ts

@@ -0,0 +1,140 @@
+import forge from 'node-forge';
+import fs from 'node:fs';
+import path from 'node:path';
+
+const CA_DIR = path.join(process.env['HOME'] || '.', '.smartcontext', 'ca');
+const HOSTS_DIR = path.join(CA_DIR, 'hosts');
+const CA_CERT_PATH = path.join(CA_DIR, 'smartcontext-ca.crt');
+const CA_KEY_PATH = path.join(CA_DIR, 'smartcontext-ca.key');
+
+export interface CertPair {
+  cert: string; // PEM
+  key: string;  // PEM
+}
+
+let cachedCA: { cert: forge.pki.Certificate; key: forge.pki.rsa.PrivateKey } | null = null;
+const hostCertCache = new Map<string, CertPair>();
+
+/** Ensure root CA exists, generate if not */
+export function ensureCA(): CertPair {
+  fs.mkdirSync(CA_DIR, { recursive: true });
+  fs.mkdirSync(HOSTS_DIR, { recursive: true });
+
+  if (fs.existsSync(CA_CERT_PATH) && fs.existsSync(CA_KEY_PATH)) {
+    const cert = fs.readFileSync(CA_CERT_PATH, 'utf-8');
+    const key = fs.readFileSync(CA_KEY_PATH, 'utf-8');
+    cachedCA = {
+      cert: forge.pki.certificateFromPem(cert),
+      key: forge.pki.privateKeyFromPem(key) as forge.pki.rsa.PrivateKey,
+    };
+    return { cert, key };
+  }
+
+  // Generate new root CA
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = generateSerial();
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 10);
+
+  const attrs = [
+    { name: 'commonName', value: 'SmartContext Proxy CA' },
+    { name: 'organizationName', value: 'SmartContext' },
+  ];
+
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+
+  cert.setExtensions([
+    { name: 'basicConstraints', cA: true, critical: true },
+    { name: 'keyUsage', keyCertSign: true, cRLSign: true, critical: true },
+    { name: 'subjectKeyIdentifier' },
+  ]);
+
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  const certPem = forge.pki.certificateToPem(cert);
+  const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
+
+  fs.writeFileSync(CA_CERT_PATH, certPem);
+  fs.writeFileSync(CA_KEY_PATH, keyPem, { mode: 0o600 });
+
+  cachedCA = { cert, key: keys.privateKey };
+
+  return { cert: certPem, key: keyPem };
+}
+
+/** Generate a TLS certificate for a specific hostname, signed by our CA */
+export function getCertForHost(hostname: string): CertPair {
+  // Check memory cache
+  const cached = hostCertCache.get(hostname);
+  if (cached) return cached;
+
+  // Check disk cache
+  const certPath = path.join(HOSTS_DIR, `${hostname}.crt`);
+  const keyPath = path.join(HOSTS_DIR, `${hostname}.key`);
+
+  if (fs.existsSync(certPath) && fs.existsSync(keyPath)) {
+    const pair = {
+      cert: fs.readFileSync(certPath, 'utf-8'),
+      key: fs.readFileSync(keyPath, 'utf-8'),
+    };
+    hostCertCache.set(hostname, pair);
+    return pair;
+  }
+
+  // Generate new cert
+  if (!cachedCA) ensureCA();
+
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+  const cert = forge.pki.createCertificate();
+
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = generateSerial();
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 1);
+
+  cert.setSubject([{ name: 'commonName', value: hostname }]);
+  cert.setIssuer(cachedCA!.cert.subject.attributes);
+
+  cert.setExtensions([
+    { name: 'basicConstraints', cA: false },
+    { name: 'keyUsage', digitalSignature: true, keyEncipherment: true },
+    { name: 'extKeyUsage', serverAuth: true },
+    {
+      name: 'subjectAltName',
+      altNames: [
+        { type: 2, value: hostname }, // DNS
+        ...(isIP(hostname) ? [{ type: 7, ip: hostname }] : []),
+      ],
+    },
+  ]);
+
+  cert.sign(cachedCA!.key, forge.md.sha256.create());
+
+  const certPem = forge.pki.certificateToPem(cert);
+  const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
+
+  fs.writeFileSync(certPath, certPem);
+  fs.writeFileSync(keyPath, keyPem, { mode: 0o600 });
+
+  const pair = { cert: certPem, key: keyPem };
+  hostCertCache.set(hostname, pair);
+  return pair;
+}
+
+export function getCACertPath(): string {
+  return CA_CERT_PATH;
+}
+
+function generateSerial(): string {
+  return Date.now().toString(16) + Math.random().toString(16).slice(2, 10);
+}
+
+function isIP(str: string): boolean {
+  return /^\d{1,3}(\.\d{1,3}){3}$/.test(str) || str.includes(':');
+}

package/src/tls/trust-store.ts

@@ -0,0 +1,123 @@
+import { execFileSync } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import { getCACertPath } from './ca-manager.js';
+
+const CA_NAME = 'SmartContext Proxy CA';
+
+export interface TrustStoreResult {
+  success: boolean;
+  message: string;
+  requiresSudo: boolean;
+}
+
+/** Install CA cert into system trust store */
+export function installCA(): TrustStoreResult {
+  const certPath = getCACertPath();
+  if (!fs.existsSync(certPath)) {
+    return { success: false, message: 'CA cert not found. Run ensureCA() first.', requiresSudo: false };
+  }
+
+  if (process.platform === 'darwin') {
+    return installMacOS(certPath);
+  } else if (process.platform === 'linux') {
+    return installLinux(certPath);
+  }
+
+  return { success: false, message: `Unsupported platform: ${process.platform}`, requiresSudo: false };
+}
+
+/** Remove CA cert from system trust store */
+export function uninstallCA(): TrustStoreResult {
+  if (process.platform === 'darwin') {
+    return uninstallMacOS();
+  } else if (process.platform === 'linux') {
+    return uninstallLinux();
+  }
+
+  return { success: false, message: `Unsupported platform: ${process.platform}`, requiresSudo: false };
+}
+
+/** Check if CA is installed in trust store */
+export function isCAInstalled(): boolean {
+  if (process.platform === 'darwin') {
+    try {
+      const result = execFileSync('security', [
+        'find-certificate', '-c', CA_NAME, '-Z',
+        '/Library/Keychains/System.keychain',
+      ], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+      return result.includes(CA_NAME);
+    } catch {
+      return false;
+    }
+  } else if (process.platform === 'linux') {
+    const dest = '/usr/local/share/ca-certificates/smartcontext-ca.crt';
+    return fs.existsSync(dest);
+  }
+  return false;
+}
+
+function installMacOS(certPath: string): TrustStoreResult {
+  try {
+    // Add to system keychain (requires admin)
+    execFileSync('sudo', [
+      'security', 'add-trusted-cert',
+      '-d', '-r', 'trustRoot',
+      '-k', '/Library/Keychains/System.keychain',
+      certPath,
+    ], { stdio: 'pipe' });
+
+    return { success: true, message: 'CA installed in macOS System Keychain', requiresSudo: true };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes('sudo') || msg.includes('password')) {
+      return { success: false, message: 'Requires sudo. Run: sudo smartcontext-proxy install', requiresSudo: true };
+    }
+    return { success: false, message: `Failed to install CA: ${msg}`, requiresSudo: true };
+  }
+}
+
+function uninstallMacOS(): TrustStoreResult {
+  try {
+    execFileSync('sudo', [
+      'security', 'remove-trusted-cert',
+      '-d', getCACertPath(),
+    ], { stdio: 'pipe' });
+
+    return { success: true, message: 'CA removed from macOS System Keychain', requiresSudo: true };
+  } catch (err) {
+    // Try alternative: delete by name
+    try {
+      execFileSync('sudo', [
+        'security', 'delete-certificate',
+        '-c', CA_NAME,
+        '/Library/Keychains/System.keychain',
+      ], { stdio: 'pipe' });
+      return { success: true, message: 'CA removed from macOS System Keychain', requiresSudo: true };
+    } catch {
+      return { success: false, message: `Failed to remove CA: ${err}`, requiresSudo: true };
+    }
+  }
+}
+
+function installLinux(certPath: string): TrustStoreResult {
+  const dest = '/usr/local/share/ca-certificates/smartcontext-ca.crt';
+  try {
+    execFileSync('sudo', ['cp', certPath, dest], { stdio: 'pipe' });
+    execFileSync('sudo', ['update-ca-certificates'], { stdio: 'pipe' });
+    return { success: true, message: 'CA installed in Linux trust store', requiresSudo: true };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}`, requiresSudo: true };
+  }
+}
+
+function uninstallLinux(): TrustStoreResult {
+  const dest = '/usr/local/share/ca-certificates/smartcontext-ca.crt';
+  try {
+    execFileSync('sudo', ['rm', '-f', dest], { stdio: 'pipe' });
+    execFileSync('sudo', ['update-ca-certificates', '--fresh'], { stdio: 'pipe' });
+    return { success: true, message: 'CA removed from Linux trust store', requiresSudo: true };
+  } catch (err) {
+    return { success: false, message: `Failed: ${err}`, requiresSudo: true };
+  }
+}