ai-cli-toolkit 0.2.0__tar.gz

ai_cli_toolkit-0.2.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 example-git
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

ai_cli_toolkit-0.2.0/PKG-INFO

@@ -0,0 +1,17 @@
+Metadata-Version: 2.4
+Name: ai-cli-toolkit
+Version: 0.2.0
+Summary: Unified AI CLI wrapper for Claude, Codex, Copilot, and Gemini
+Author-email: example-git <admin@xo.vg>
+Requires-Python: >=3.12
+License-File: LICENSE
+Requires-Dist: mitmproxy>=12.1.2
+Requires-Dist: shtab>=1.7
+Requires-Dist: bcrypt>=4.1
+Provides-Extra: dev
+Requires-Dist: mypy>=1.11; extra == "dev"
+Requires-Dist: pre-commit>=3.8; extra == "dev"
+Requires-Dist: pytest>=8.3; extra == "dev"
+Requires-Dist: pytest-cov>=5.0; extra == "dev"
+Requires-Dist: ruff>=0.6.9; extra == "dev"
+Dynamic: license-file

ai_cli_toolkit-0.2.0/README.md

@@ -0,0 +1,318 @@
+<p align="center">
+  <img src="docs/assets/ai-cli-banner.png" alt="AI Cli Toolkit banner" width="980" />
+</p>
+
+# AI Cli Toolkit
+
+AI Cli Toolkit is a unified wrapper around multiple AI coding CLIs:
+
+- Claude Code
+- OpenAI Codex CLI
+- GitHub Copilot CLI
+- Gemini CLI
+
+It runs each tool through a managed mitmproxy layer to inject instructions consistently, handle per-tool request formats, and keep session tooling in one place.
+
+## Early Version Notice
+
+---
+
+This is an early `0.2.0` release. Features are still evolving, behavior may change, and some workflows may be incomplete or unstable.
+
+Use this project at your own risk. You are responsible for how you use it, including compliance with platform policies, terms of service, and applicable laws. The maintainers are not liable for misuse, data loss, account issues, service interruptions, or other consequences resulting from use of this tool.
+
+---
+
+## Key Features
+
+- Single entrypoint: `ai-cli <tool> [DIR] [args...]`
+- Optional aliasing so `claude`, `codex`, `copilot`, `gemini` route through the wrapper
+- Layered instruction composition:
+  - Canary
+  - Base
+  - Per-tool
+  - Per-project
+  - User custom
+- Agent-agnostic session inspection:
+  - `ai-cli session --list`
+  - `ai-cli session --agent claude --tail 20`
+  - `ai-cli session --all --grep "keyword"`
+- Startup continuity context:
+  - At tool launch, recent cwd-matching context is built from session logs
+  - The context block is included in startup prompt text and printed at init
+- Per-tool updater:
+  - `ai-cli update --list`
+  - `ai-cli update codex`
+  - `ai-cli update --all`
+- Remote session support:
+  - Launch tools on remote hosts: `ai-cli codex user@host:/path/to/project`
+  - Packages and deploys ai-mux, prompt layers, and editor launcher to the remote
+  - Syncs edited prompt files back on session exit
+- In-session prompt editor (F5–F8):
+  - F5: global instructions (`system_instructions.txt`)
+  - F6: base instructions (`base_instructions.txt`)
+  - F7: per-tool instructions (`instructions/<tool>.txt`)
+  - F8: per-project instructions (`.ai-cli/project_instructions.txt`)
+  - Status bar shows shortcut hints; prefix with `C-]` to trigger
+- ai-mux tmux orchestrator:
+  - Per-tool tmux sockets (`--socket-name`)
+  - Auto-detach stale clients on reconnect (scoped per-session)
+  - Cross-platform: arm64 macOS + x86_64 Linux binaries
+## Requirements
+
+- Python `>=3.12`
+- `mitmproxy` (auto-installed on first run if missing)
+- Wrapped tool binaries installed (`claude`, `codex`, `copilot`, `gemini`)
+
+## Install
+
+### Preferred
+
+```bash
+bash install.sh
+```
+
+Useful flags:
+
+- `--reinstall`
+- `--alias-all`
+- `--alias <tool>` (repeatable)
+- `--no-alias`
+- `--auto-install-deps` (allow installer to install required system deps like `tmux`)
+- `--yes` (assume yes for interactive prompts)
+- `--non-interactive`
+
+### Manual dev install
+
+```bash
+python3 -m pip install --user -e .
+```
+
+## CLI Usage
+
+```bash
+ai-cli <tool> [DIR] [args...]
+ai-cli <tool> user@host:/remote/dir [args...]   # remote session
+ai-cli menu
+ai-cli status
+ai-cli system [tool]
+ai-cli system prompt [model]
+ai-cli prompt-edit <global|tool> [tool]
+ai-cli history [options]
+ai-cli session [options]  # alias for history
+ai-cli traffic [options]
+ai-cli cleanup [options]
+ai-cli update [tool|--all]
+ai-cli completions generate [--shell bash|zsh|all]
+```
+
+Directory launch behavior:
+
+- If the first argument after `<tool>` is an existing directory, ai-cli launches the wrapped tool in that directory.
+- If the argument is `user@host:/path`, ai-cli packages and deploys a remote session via SSH/rsync.
+- This applies to both:
+  - `ai-cli claude /path/to/project`
+  - `claude /path/to/project` (when `claude` is aliased to ai-cli wrapper)
+  - `ai-cli codex user@server:/home/user/project`
+
+`ai-cli menu` uses curses in an interactive TTY and falls back to a non-interactive status output otherwise.
+
+Tools:
+
+- `claude`
+- `codex`
+- `copilot`
+- `gemini`
+
+Note for Codex users:
+
+- In wrapped `ai-cli codex` sessions, `Ctrl+G` external-editor behavior is enabled
+  by default.
+- To disable Codex external-editor behavior, set:
+  `AI_CLI_CODEX_DISABLE_EXTERNAL_EDITOR=1`
+
+## Configuration
+
+Config file:
+
+- `~/.ai-cli/config.json`
+
+Key fields:
+
+- Global `instructions_file` and `canary_rule`
+- Proxy host and CA path
+- Retention policy:
+  - `retention.logs_days`
+  - `retention.traffic_days`
+- Privacy policy:
+  - `privacy.redact_traffic_bodies`
+- Per-tool overrides for:
+  - `enabled`
+  - `binary`
+  - `instructions_file`
+  - `canary_rule`
+  - `passthrough`
+  - `debug_requests`
+  - `developer_instructions_mode` (Codex: `overwrite`, `append`, `prepend`; default `overwrite`)
+- Alias state tracking
+
+Codex prompt handling (`developer_instructions_mode=overwrite`) builds a sectioned developer message:
+- `<GLOBAL GUIDELINES>` from global user instructions file (`instructions_file`)
+- `<DEVELOPER PROMPT>` from codex-specific instructions
+- recurring runtime blocks (permissions/apps/collaboration mode) preserved in tagged recurring sections
+
+In `ai-mux` sessions:
+- `F5` opens the global prompt file in your editor (`VISUAL`/`EDITOR`, fallback `nano`/`vi`/`vim`)
+- `F6` opens the base instructions file
+- `F7` opens the active tool's prompt file
+- `F8` opens the project-level prompt file
+- All F-key bindings require `C-]` prefix (shown in status bar)
+- Codex injections read these files per request, so file edits apply to subsequent turns in the same conversation
+
+## Instruction Files
+
+Instruction sources:
+
+1. Canary rule
+2. Base template (`templates/base_instructions.txt` or `~/.ai-cli/base_instructions.txt`)
+3. Per-tool (`~/.ai-cli/instructions/<tool>.txt`)
+4. Project (`./.ai-cli/project_instructions.txt`)
+5. User (`~/.ai-cli/system_instructions.txt` or configured file)
+
+Runtime behavior:
+
+- `compose_instructions()` builds the 5-layer text for wrapper logging/hash visibility.
+- Addons inject using the global instructions file + canary rule.
+- For Codex, `~/.ai-cli/instructions/codex.txt` is also used as the `<DEVELOPER PROMPT>` section when `developer_instructions_mode=overwrite`.
+- Startup recent-context is appended to the canary rule unless disabled.
+
+Edit quickly:
+
+```bash
+ai-cli system
+ai-cli system codex
+ai-cli prompt-edit global
+ai-cli prompt-edit tool codex
+```
+
+## Retention And Privacy
+
+- Wrapper startup runs best-effort housekeeping:
+  - Prunes old wrapper logs from `~/.ai-cli/logs` using `retention.logs_days`
+  - Prunes old rows from `~/.ai-cli/traffic.db` using `retention.traffic_days`
+- Traffic body capture is redacted by default (`privacy.redact_traffic_bodies = true`) for common secret/token patterns.
+
+## Session Tooling
+
+List all discovered sessions:
+
+```bash
+ai-cli session --list
+```
+
+Show merged timeline:
+
+```bash
+ai-cli session --all --tail 50
+```
+
+Filter by agent:
+
+```bash
+ai-cli session --agent codex --tail 30
+```
+
+Filter by text:
+
+```bash
+ai-cli session --all --grep "statusline"
+```
+
+## Shell Completions
+
+`install.sh` copies completion source files from this repo into shell completion directories:
+
+- Zsh source: `completions/_ai-cli` -> `~/.oh-my-zsh/custom/completions/_ai-cli` (or `~/.zsh/completions/_ai-cli`)
+- Bash source: `completions/ai-cli.bash` -> `~/.local/share/bash-completion/completions/ai-cli`
+
+You can also generate scripts directly:
+
+```bash
+ai-cli completions generate --shell all
+```
+
+## Statusline
+
+A multi-tool aware statusline command is installed to:
+
+- `~/.claude/statusline-command.sh`
+
+Installer updates `~/.claude/settings.json` to point `statusLine` at the script.
+
+## Development
+
+Basic checks:
+
+```bash
+python3 -m compileall ai_cli
+python3 -m pip install -e '.[dev]'
+pytest
+pre-commit run --all-files
+python3 -m ai_cli --help
+python3 -m ai_cli session --help
+python3 -m ai_cli update --help
+bash -n install.sh
+```
+
+CI is configured in `.github/workflows/ci.yml` and currently runs `pre-commit` and `pytest`.
+
+## Docs
+
+Additional user docs live under `docs/`:
+
+- `docs/index.md`
+- `docs/getting-started.md`
+- `docs/cli-reference.md`
+- `docs/config-reference.md`
+- `docs/operations-runbook.md`
+- `docs/privacy-data-handling.md`
+
+## Troubleshooting
+
+- Proxy launches but tool cannot reach APIs:
+  - Confirm CA exists at `~/.mitmproxy/mitmproxy-ca-cert.pem`
+  - Check `~/.ai-cli/logs/*.mitmdump.log` for TLS/connection errors
+- Codex injection/traffic capture stopped:
+  - Ensure `~/.codex/config.toml` has `[network] allow_upstream_proxy = true` and `mitm = false`
+- No traffic rows appear:
+  - Verify tool was launched through `ai-cli`
+  - Check retention config is not too aggressive (`retention.traffic_days`)
+- Installer fails on missing `tmux`:
+  - Re-run with `--auto-install-deps` (or install `tmux` manually first)
+
+## Project Layout
+
+- `ai_cli/` core package
+- `ai_cli/tools/` tool specs and registry
+- `ai_cli/addons/` mitmproxy injection addons
+- `ai_cli/bin/` compiled ai-mux binaries (arm64 macOS, x86_64 Linux)
+- `ai_cli/remote.py` remote session spec and SSH runner
+- `ai_cli/remote_package.py` remote package builder, tmux conf, prompt sync
+- `ai_cli/prompt_editor_launcher.py` F5–F8 prompt editor (deployed to remote)
+- `mux/` Rust source for ai-mux tmux orchestrator
+- `templates/` base instruction template
+- `completions/` shell completion scripts
+- `statusline/` statusline command script
+- `reference/` preserved source/reference material
+
+## README Maintenance
+
+This README is intended to be a living operational guide.
+
+When behavior changes, update this file in the same change set for:
+
+- CLI commands or flags
+- Installer behavior
+- Config schema/defaults
+- Session discovery/parsing behavior
+- Prompt/instruction composition behavior

ai_cli_toolkit-0.2.0/ai_cli/__init__.py

@@ -0,0 +1,3 @@
+"""ai-cli: Unified AI CLI wrapper for Claude, Codex, Copilot, and Gemini."""
+
+__version__ = "0.2.0"

ai_cli_toolkit-0.2.0/ai_cli/__main__.py

@@ -0,0 +1,6 @@
+"""Entry point for python -m ai_cli."""
+
+from ai_cli.main import main
+
+if __name__ == "__main__":
+    raise SystemExit(main())

ai_cli_toolkit-0.2.0/ai_cli/bin/remote-tty-wrapper

@@ -0,0 +1,153 @@
+#!/usr/bin/env zsh
+set -euo pipefail
+
+die() { print -u2 -- "Error: $*"; exit 1; }
+
+usage() {
+  cat <<'USAGE'
+remote-tty-wrapper -H user@host [-s session] [--ssh-opt "..."] <mode> [mode args]
+
+Global:
+  -H, --host user@host        required
+  -s, --session NAME          tmux session name (default: sshwrap)
+  --ssh-opt "..."             extra ssh option (repeatable)
+
+Modes:
+  start [--init 'CMD']        ensure tmux session exists; optionally run CMD inside it
+  shell [--init 'CMD']        attach to tmux session; optionally run CMD inside it first
+  send  CMD...                send one command line into the tmux session
+  send  -- 'CMD1' -- 'CMD2'   send multiple command lines (separator is literal --)
+  close                       kill the tmux session
+
+Examples:
+  remote-tty-wrapper -H example@192.168.1.117 start
+  remote-tty-wrapper -H example@192.168.1.117 shell
+  remote-tty-wrapper -H example@192.168.1.117 shell --init 'source ~/miniconda3/bin/activate; conda activate bot-refactor/conda'
+  remote-tty-wrapper -H example@192.168.1.117 send 'cd bot-refactor'
+  remote-tty-wrapper -H example@192.168.1.117 send -- 'cd bot-refactor' -- 'pwd' -- 'python -V'
+USAGE
+}
+
+REMOTE_USER_HOST="${REMOTE_USER_HOST:-}"
+SESSION="sshwrap"
+MODE=""
+INIT_CMD=""
+
+typeset -a SSH_OPTS
+SSH_OPTS=(-o PermitLocalCommand=no -o ServerAliveInterval=30 -o ServerAliveCountMax=3)
+
+# ---- parse globals ----
+while (( $# )); do
+  case "$1" in
+    -H|--host) shift; (( $# )) || die "Missing --host"; REMOTE_USER_HOST="$1"; shift;;
+    -s|--session) shift; (( $# )) || die "Missing --session"; SESSION="$1"; shift;;
+    --ssh-opt) shift; (( $# )) || die "Missing --ssh-opt"; SSH_OPTS+=("$1"); shift;;
+    -h|--help) usage; exit 0;;
+    start|shell|send|close) MODE="$1"; shift; break;;
+    *) die "Unknown option or missing mode: $1 (use --help)";;
+  esac
+done
+
+[[ -n "$REMOTE_USER_HOST" ]] || die "No host set (-H user@host)"
+[[ -n "$MODE" ]] || die "No mode (use --help)"
+
+# ---- helper: run a shell snippet on remote with argv preserved ----
+ssh_sh() {
+  ssh "${SSH_OPTS[@]}" "$REMOTE_USER_HOST" sh -s -- "$@"
+}
+
+ensure_tmux_session() {
+  ssh_sh "$SESSION" <<'SH'
+sess="$1"
+command -v tmux >/dev/null 2>&1 || { echo "tmux not found on remote" >&2; exit 127; }
+tmux has-session -t "$sess" 2>/dev/null || tmux new-session -d -s "$sess"
+SH
+}
+
+tmux_send_line() {
+  ssh_sh "$SESSION" "$1" <<'SH'
+sess="$1"
+line="$2"
+tmux has-session -t "$sess" 2>/dev/null || tmux new-session -d -s "$sess"
+tmux send-keys -t "$sess" -l -- "$line"
+tmux send-keys -t "$sess" Enter
+SH
+}
+typeset -a REMAINING_ARGS
+parse_init() {
+  INIT_CMD=""
+  REMAINING_ARGS=()
+  if (( $# >= 2 )) && [[ "$1" == "--init" ]]; then
+    INIT_CMD="$2"
+    shift 2
+  fi
+  REMAINING_ARGS=("$@")
+}
+
+do_start() {
+  parse_init "$@"
+  (( ${#REMAINING_ARGS[@]} == 0 )) || die "start takes no extra args (use --init '...')"
+
+  ensure_tmux_session
+  [[ -n "$INIT_CMD" ]] && tmux_send_line "$INIT_CMD"
+}
+
+do_shell() {
+  parse_init "$@"
+  (( ${#REMAINING_ARGS[@]} == 0 )) || die "shell takes no extra args (use --init '...')"
+
+  [[ -r /dev/tty && -w /dev/tty ]] || die "shell requires a real terminal (/dev/tty unavailable). Use start/send."
+
+  local remote_cmd
+  remote_cmd="tmux has-session -t $(printf %q "$SESSION") 2>/dev/null || tmux new-session -d -s $(printf %q "$SESSION")"
+  if [[ -n "$INIT_CMD" ]]; then
+    remote_cmd="$remote_cmd; tmux send-keys -t $(printf %q "$SESSION") -l -- $(printf %q "$INIT_CMD"); tmux send-keys -t $(printf %q "$SESSION") Enter"
+  fi
+  remote_cmd="$remote_cmd; tmux attach -t $(printf %q "$SESSION")"
+
+  exec </dev/tty >/dev/tty 2>&1 \
+    ssh "${SSH_OPTS[@]}" -o RequestTTY=force "$REMOTE_USER_HOST" "$remote_cmd"
+}
+
+do_send() {
+  ensure_tmux_session
+  (( $# > 0 )) || die "send requires a command (or: send -- 'CMD1' -- 'CMD2' ...)"
+
+  if [[ "$1" == "--" ]]; then
+    shift
+    local cur=""
+    while (( $# )); do
+      if [[ "$1" == "--" ]]; then
+        [[ -n "$cur" ]] && tmux_send_line "$cur"
+        cur=""
+        shift
+        continue
+      fi
+      if [[ -z "$cur" ]]; then
+        cur="$1"
+      else
+        cur="$cur $1"
+      fi
+      shift
+    done
+    [[ -n "$cur" ]] && tmux_send_line "$cur"
+  else
+    tmux_send_line "$*"
+  fi
+}
+
+do_close() {
+  (( $# == 0 )) || die "close takes no arguments"
+  ssh_sh "$SESSION" <<'SH'
+sess="$1"
+command -v tmux >/dev/null 2>&1 || exit 0
+tmux kill-session -t "$sess" 2>/dev/null || true
+SH
+}
+
+case "$MODE" in
+  start) do_start "$@";;
+  shell) do_shell "$@";;
+  send)  do_send  "$@";;
+  close) do_close "$@";;
+esac

ai_cli_toolkit-0.2.0/ai_cli/ca.py

@@ -0,0 +1,175 @@
+"""CA certificate bootstrap and optional trust-store installation.
+
+Handles generating mitmproxy CA certificates on first run, and optionally
+installing them into the macOS or Linux system trust store.
+"""
+
+from __future__ import annotations
+
+import random
+import shutil
+import subprocess
+import time
+from pathlib import Path
+from typing import Any
+
+from ai_cli.log import append_log, fmt_cmd
+
+DEFAULT_CA_PATH = "~/.mitmproxy/mitmproxy-ca-cert.pem"
+
+
+def _stop_process(proc: subprocess.Popen[Any]) -> None:
+    """Terminate a subprocess, escalating to kill after timeout."""
+    if proc.poll() is not None:
+        return
+    proc.terminate()
+    try:
+        proc.wait(timeout=3)
+    except subprocess.TimeoutExpired:
+        proc.kill()
+
+
+def bootstrap_ca_cert(
+    ca_path: Path,
+    mitmdump_bin: str,
+    log_path: Path,
+) -> bool:
+    """Ensure mitmproxy CA cert exists at *ca_path*.
+
+    If missing, runs a short-lived mitmdump process to generate CA material.
+    Returns True if cert is available after bootstrap.
+    """
+    if ca_path.is_file():
+        return True
+
+    confdir = ca_path.parent
+    generated_path = confdir / "mitmproxy-ca-cert.pem"
+    try:
+        confdir.mkdir(parents=True, exist_ok=True)
+    except OSError as exc:
+        append_log(log_path, f"Failed to create CA directory {confdir}: {exc}")
+        return False
+
+    append_log(log_path, f"CA cert missing at {ca_path}. Bootstrapping with mitmdump.")
+
+    for _ in range(3):
+        port = random.randint(39000, 49000)
+        bootstrap_cmd = [
+            mitmdump_bin,
+            "--quiet",
+            "--set",
+            f"confdir={confdir}",
+            "--listen-host",
+            "127.0.0.1",
+            "-p",
+            str(port),
+        ]
+        append_log(log_path, f"CA bootstrap command: {fmt_cmd(bootstrap_cmd)}")
+
+        try:
+            bootstrap_proc = subprocess.Popen(
+                bootstrap_cmd,
+                stdin=subprocess.DEVNULL,
+                stdout=subprocess.DEVNULL,
+                stderr=subprocess.DEVNULL,
+                start_new_session=True,
+            )
+        except OSError as exc:
+            append_log(log_path, f"Failed to start bootstrap mitmdump: {exc}")
+            continue
+
+        time.sleep(0.6)
+        _stop_process(bootstrap_proc)
+        if generated_path.is_file() or ca_path.is_file():
+            break
+
+    if generated_path.is_file() and generated_path != ca_path:
+        try:
+            shutil.copy2(generated_path, ca_path)
+        except OSError as exc:
+            append_log(
+                log_path, f"Failed to copy generated CA cert to {ca_path}: {exc}"
+            )
+
+    if ca_path.is_file():
+        append_log(log_path, f"CA cert available at {ca_path}.")
+        return True
+
+    append_log(log_path, f"CA bootstrap failed. Expected cert at {ca_path}.")
+    return False
+
+
+def install_ca_macos(ca_path: Path, log_path: Path) -> bool:
+    """Install CA cert into the macOS system keychain (requires sudo)."""
+    if not ca_path.is_file():
+        append_log(log_path, f"CA cert not found at {ca_path}")
+        return False
+
+    cmd = [
+        "sudo",
+        "security",
+        "add-trusted-cert",
+        "-d",
+        "-r",
+        "trustRoot",
+        "-k",
+        "/Library/Keychains/System.keychain",
+        str(ca_path),
+    ]
+    append_log(log_path, f"Installing CA to macOS keychain: {fmt_cmd(cmd)}")
+    try:
+        result = subprocess.run(cmd, check=False, capture_output=True, text=True)
+        if result.returncode == 0:
+            append_log(log_path, "CA cert installed to macOS system keychain.")
+            return True
+        append_log(
+            log_path,
+            f"CA install failed (exit={result.returncode}): {result.stderr.strip()}",
+        )
+    except OSError as exc:
+        append_log(log_path, f"CA install failed: {exc}")
+    return False
+
+
+def install_ca_linux(ca_path: Path, log_path: Path) -> bool:
+    """Install CA cert into the Linux system trust store."""
+    if not ca_path.is_file():
+        append_log(log_path, f"CA cert not found at {ca_path}")
+        return False
+
+    # Try Debian/Ubuntu style
+    dest_dir = Path("/usr/local/share/ca-certificates")
+    update_cmd = "update-ca-certificates"
+    if not dest_dir.exists():
+        # Try RHEL/Fedora style
+        dest_dir = Path("/etc/pki/ca-trust/source/anchors")
+        update_cmd = "update-ca-trust"
+
+    if not dest_dir.exists():
+        append_log(log_path, "No known CA trust directory found on this system.")
+        return False
+
+    dest = dest_dir / "mitmproxy-ca-cert.crt"
+    try:
+        result = subprocess.run(
+            ["sudo", "cp", str(ca_path), str(dest)],
+            check=False,
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode != 0:
+            append_log(log_path, f"Failed to copy CA cert: {result.stderr.strip()}")
+            return False
+        result = subprocess.run(
+            ["sudo", update_cmd],
+            check=False,
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode == 0:
+            append_log(log_path, f"CA cert installed via {update_cmd}.")
+            return True
+        append_log(log_path, f"{update_cmd} failed: {result.stderr.strip()}")
+    except OSError as exc:
+        append_log(log_path, f"CA install failed: {exc}")
+    return False