feat: add cross-platform service management helper

README.md

@@ -152,6 +152,24 @@ llm:
 agentapi --cliproxy http://localhost:8317
 ```
 
+## Managed service (Windows / Linux / macOS)
+
+Use the repo service helper to install/start/stop/restart from one command.
+
+```bash
+task service:install    # install platform service scaffold
+task service:start      # start service
+task service:status     # inspect service status
+task service:restart    # restart service
+task service:stop       # stop service
+```
+
+Platform behavior:
+
+- Linux: manages `cliproxyapi-plusplus.service` via systemd.
+- macOS: manages `com.router-for-me.cliproxyapi-plusplus` via launchd.
+- Windows: uses `examples/windows/cliproxyapi-plusplus-service.ps1` for install/start/stop/status.
+
 ## Development
 
 ```bash

Taskfile.yml

@@ -343,6 +343,7 @@ tasks:
       - task: quality:vet
       - task: quality:staticcheck
       - task: quality:shellcheck
+      - task: service:test
       - task: lint:changed
 
   test:provider-smoke-matrix:test:
@@ -356,25 +357,19 @@ tasks:
     cmds:
       - task: preflight
       - task: quality:docs-open-items-parity
-<<<<<<< HEAD
       - task: quality:docs-phase-placeholders
-=======
->>>>>>> archive/pr-234-head-20260223
       - ./.github/scripts/release-lint.sh
 
   quality:docs-open-items-parity:
     desc: "Prevent stale status drift in fragmented open-items report"
     cmds:
       - ./.github/scripts/check-open-items-fragmented-parity.sh
 
-<<<<<<< HEAD
   quality:docs-phase-placeholders:
     desc: "Reject unresolved placeholder-like tokens in planning reports"
     cmds:
       - ./.github/scripts/check-phase-doc-placeholder-tokens.sh
 
-=======
->>>>>>> archive/pr-234-head-20260223
   test:smoke:
     desc: "Run smoke tests for startup and control-plane surfaces"
     deps: [preflight, cache:unlock]
@@ -484,6 +479,37 @@ tasks:
     cmds:
       - docker compose down
 
+  # -- Service Operations --
+  service:status:
+    desc: "Show service status for installed system service"
+    cmds:
+      - ./scripts/cliproxy-service.sh status
+
+  service:start:
+    desc: "Start cliproxyapi++ service (systemd/launchd/Windows helper)"
+    cmds:
+      - ./scripts/cliproxy-service.sh start
+
+  service:stop:
+    desc: "Stop cliproxyapi++ service (systemd/launchd/Windows helper)"
+    cmds:
+      - ./scripts/cliproxy-service.sh stop
+
+  service:restart:
+    desc: "Restart cliproxyapi++ service (systemd/launchd/Windows helper)"
+    cmds:
+      - ./scripts/cliproxy-service.sh restart
+
+  service:install:
+    desc: "Install cliproxyapi++ service scaffold (systemd/launchd)"
+    cmds:
+      - ./scripts/cliproxy-service.sh install
+
+  service:test:
+    desc: "Run cliproxy service helper contract tests"
+    cmds:
+      - ./scripts/cliproxy-service-test.sh
+
   # -- Health & Diagnostics (UX/DX) --
   doctor:
     desc: "Check environment health for cliproxyapi++"

cmd/server/main.go

@@ -63,6 +63,13 @@ func setKiroIncognitoMode(cfg *config.Config, useIncognito, noIncognito bool) {
 	}
 }
 
+func validateKiroIncognitoFlags(useIncognito, noIncognito bool) error {
+	if useIncognito && noIncognito {
+		return fmt.Errorf("--incognito and --no-incognito cannot be used together")
+	}
+	return nil
+}
+
 // main is the entry point of the application.
 // It parses command-line flags, loads configuration, and starts the appropriate
 // service based on the provided flags (login, codex-login, or server mode).
@@ -152,9 +159,13 @@ func main() {
 
 	// Parse the command-line flags.
 	flag.Parse()
+	var err error
+	if err = validateKiroIncognitoFlags(useIncognito, noIncognito); err != nil {
+		log.Errorf("invalid Kiro browser flags: %v", err)
+		return
+	}
 
 	// Core application variables.
-	var err error
 	var cfg *config.Config
 	var isCloudDeploy bool
 	var (
@@ -620,15 +631,15 @@ func main() {
 				}
 			}
 		} else {
-      // Start the main proxy service
-      managementasset.StartAutoUpdater(context.Background(), configFilePath)
+			// Start the main proxy service
+			managementasset.StartAutoUpdater(context.Background(), configFilePath)
 
-      if cfg.AuthDir != "" {
-        kiro.InitializeAndStart(cfg.AuthDir, cfg)
-        defer kiro.StopGlobalRefreshManager()
-      }
+			if cfg.AuthDir != "" {
+				kiro.InitializeAndStart(cfg.AuthDir, cfg)
+				defer kiro.StopGlobalRefreshManager()
+			}
 
-      cmd.StartService(cfg, configFilePath, password)
+			cmd.StartService(cfg, configFilePath, password)
 		}
 	}
 }

cmd/server/main_kiro_flags_test.go

@@ -3,7 +3,7 @@ package main
 import (
 	"testing"
 
-	"github.com/router-for-me/CLIProxyAPI/v6/pkg/llmproxy/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 )
 
 func TestValidateKiroIncognitoFlags(t *testing.T) {

internal/api/handlers/management/auth_files.go

@@ -2876,7 +2876,7 @@ func (h *Handler) RequestKiloToken(c *gin.Context) {
 			Metadata: map[string]any{
 				"email":           status.UserEmail,
 				"organization_id": orgID,
-				"model":          defaults.Model,
+				"model":           defaults.Model,
 			},
 		}
 

internal/api/modules/amp/proxy.go

@@ -105,12 +105,21 @@ func createReverseProxy(upstreamURL string, secretSource SecretSource) (*httputi
 	// Modify incoming responses to handle gzip without Content-Encoding
 	// This addresses the same issue as inline handler gzip handling, but at the proxy level
 	proxy.ModifyResponse = func(resp *http.Response) error {
+		method := ""
+		path := ""
+		if resp.Request != nil {
+			method = resp.Request.Method
+			if resp.Request.URL != nil {
+				path = resp.Request.URL.Path
+			}
+		}
+
 		// Log upstream error responses for diagnostics (502, 503, etc.)
 		// These are NOT proxy connection errors - the upstream responded with an error status
 		if resp.StatusCode >= 500 {
-			log.Errorf("amp upstream responded with error [%d] for %s %s", resp.StatusCode, resp.Request.Method, resp.Request.URL.Path)
+			log.Errorf("amp upstream responded with error [%d] for %s %s", resp.StatusCode, method, path)
 		} else if resp.StatusCode >= 400 {
-			log.Warnf("amp upstream responded with client error [%d] for %s %s", resp.StatusCode, resp.Request.Method, resp.Request.URL.Path)
+			log.Warnf("amp upstream responded with client error [%d] for %s %s", resp.StatusCode, method, path)
 		}
 
 		// Only process successful responses for gzip decompression

internal/auth/copilot/copilot_auth.go

@@ -22,11 +22,11 @@ const (
 	copilotAPIEndpoint = "https://api.githubcopilot.com"
 
 	// Common HTTP header values for Copilot API requests.
-	copilotUserAgent       = "GithubCopilot/1.0"
-	copilotEditorVersion   = "vscode/1.100.0"
-	copilotPluginVersion   = "copilot/1.300.0"
-	copilotIntegrationID   = "vscode-chat"
-	copilotOpenAIIntent    = "conversation-panel"
+	copilotUserAgent     = "GithubCopilot/1.0"
+	copilotEditorVersion = "vscode/1.100.0"
+	copilotPluginVersion = "copilot/1.300.0"
+	copilotIntegrationID = "vscode-chat"
+	copilotOpenAIIntent  = "conversation-panel"
 )
 
 // CopilotAPIToken represents the Copilot API token response.

internal/auth/kiro/aws.go

@@ -506,17 +506,14 @@ func GenerateTokenFileName(tokenData *KiroTokenData) string {
 		return fmt.Sprintf("kiro-%s-%s.json", authMethod, sanitizedEmail)
 	}
 
-	// Generate sequence only when email is unavailable
-	seq := time.Now().UnixNano() % 100000
-
-	// Priority 2: For IDC, use startUrl identifier with sequence
+	// Priority 2: For IDC, use startUrl identifier
 	if authMethod == "idc" && tokenData.StartURL != "" {
 		identifier := ExtractIDCIdentifier(tokenData.StartURL)
 		if identifier != "" {
-			return fmt.Sprintf("kiro-%s-%s-%05d.json", authMethod, identifier, seq)
+			return fmt.Sprintf("kiro-%s-%s.json", authMethod, identifier)
 		}
 	}
 
-	// Priority 3: Fallback to authMethod only with sequence
-	return fmt.Sprintf("kiro-%s-%05d.json", authMethod, seq)
+	// Priority 3: Fallback to authMethod only
+	return fmt.Sprintf("kiro-%s.json", authMethod)
 }

internal/auth/kiro/aws_auth.go

@@ -23,11 +23,11 @@ const (
 	// Note: This is different from the Amazon Q streaming endpoint (q.us-east-1.amazonaws.com)
 	// used in kiro_executor.go for GenerateAssistantResponse. Both endpoints are correct
 	// for their respective API operations.
-	awsKiroEndpoint     = "https://codewhisperer.us-east-1.amazonaws.com"
-	defaultTokenFile    = "~/.aws/sso/cache/kiro-auth-token.json"
-	targetGetUsage      = "AmazonCodeWhispererService.GetUsageLimits"
-	targetListModels    = "AmazonCodeWhispererService.ListAvailableModels"
-	targetGenerateChat  = "AmazonCodeWhispererStreamingService.GenerateAssistantResponse"
+	awsKiroEndpoint    = "https://codewhisperer.us-east-1.amazonaws.com"
+	defaultTokenFile   = "~/.aws/sso/cache/kiro-auth-token.json"
+	targetGetUsage     = "AmazonCodeWhispererService.GetUsageLimits"
+	targetListModels   = "AmazonCodeWhispererService.ListAvailableModels"
+	targetGenerateChat = "AmazonCodeWhispererStreamingService.GenerateAssistantResponse"
 )
 
 // KiroAuth handles AWS CodeWhisperer authentication and API communication.

internal/auth/kiro/codewhisperer_client.go

@@ -28,11 +28,11 @@ type CodeWhispererClient struct {
 
 // UsageLimitsResponse represents the getUsageLimits API response.
 type UsageLimitsResponse struct {
-	DaysUntilReset     *int                `json:"daysUntilReset,omitempty"`
-	NextDateReset      *float64            `json:"nextDateReset,omitempty"`
-	UserInfo           *UserInfo           `json:"userInfo,omitempty"`
-	SubscriptionInfo   *SubscriptionInfo   `json:"subscriptionInfo,omitempty"`
-	UsageBreakdownList []UsageBreakdown    `json:"usageBreakdownList,omitempty"`
+	DaysUntilReset     *int              `json:"daysUntilReset,omitempty"`
+	NextDateReset      *float64          `json:"nextDateReset,omitempty"`
+	UserInfo           *UserInfo         `json:"userInfo,omitempty"`
+	SubscriptionInfo   *SubscriptionInfo `json:"subscriptionInfo,omitempty"`
+	UsageBreakdownList []UsageBreakdown  `json:"usageBreakdownList,omitempty"`
 }
 
 // UserInfo contains user information from the API.
@@ -49,13 +49,13 @@ type SubscriptionInfo struct {
 
 // UsageBreakdown contains usage details.
 type UsageBreakdown struct {
-	UsageLimit                 *int     `json:"usageLimit,omitempty"`
-	CurrentUsage               *int     `json:"currentUsage,omitempty"`
-	UsageLimitWithPrecision    *float64 `json:"usageLimitWithPrecision,omitempty"`
-	CurrentUsageWithPrecision  *float64 `json:"currentUsageWithPrecision,omitempty"`
-	NextDateReset              *float64 `json:"nextDateReset,omitempty"`
-	DisplayName                string   `json:"displayName,omitempty"`
-	ResourceType               string   `json:"resourceType,omitempty"`
+	UsageLimit                *int     `json:"usageLimit,omitempty"`
+	CurrentUsage              *int     `json:"currentUsage,omitempty"`
+	UsageLimitWithPrecision   *float64 `json:"usageLimitWithPrecision,omitempty"`
+	CurrentUsageWithPrecision *float64 `json:"currentUsageWithPrecision,omitempty"`
+	NextDateReset             *float64 `json:"nextDateReset,omitempty"`
+	DisplayName               string   `json:"displayName,omitempty"`
+	ResourceType              string   `json:"resourceType,omitempty"`
 }
 
 // NewCodeWhispererClient creates a new CodeWhisperer client.

internal/auth/kiro/cooldown.go

@@ -6,8 +6,8 @@ import (
 )
 
 const (
-	CooldownReason429         = "rate_limit_exceeded"
-	CooldownReasonSuspended   = "account_suspended"
+	CooldownReason429            = "rate_limit_exceeded"
+	CooldownReasonSuspended      = "account_suspended"
 	CooldownReasonQuotaExhausted = "quota_exhausted"
 
 	DefaultShortCooldown = 1 * time.Minute

internal/auth/kiro/fingerprint.go

@@ -37,7 +37,7 @@ var (
 		"1.0.20", "1.0.21", "1.0.22", "1.0.23",
 		"1.0.24", "1.0.25", "1.0.26", "1.0.27",
 	}
-	osTypes = []string{"darwin", "windows", "linux"}
+	osTypes    = []string{"darwin", "windows", "linux"}
 	osVersions = map[string][]string{
 		"darwin":  {"14.0", "14.1", "14.2", "14.3", "14.4", "14.5", "15.0", "15.1"},
 		"windows": {"10.0.19041", "10.0.19042", "10.0.19043", "10.0.19044", "10.0.22621", "10.0.22631"},
@@ -67,9 +67,9 @@ var (
 		"1366x768", "1440x900", "1680x1050",
 		"2560x1600", "3440x1440",
 	}
-	colorDepths          = []int{24, 32}
+	colorDepths           = []int{24, 32}
 	hardwareConcurrencies = []int{4, 6, 8, 10, 12, 16, 20, 24, 32}
-	timezoneOffsets      = []int{-480, -420, -360, -300, -240, 0, 60, 120, 480, 540}
+	timezoneOffsets       = []int{-480, -420, -360, -300, -240, 0, 60, 120, 480, 540}
 )
 
 // NewFingerprintManager 创建指纹管理器

internal/auth/kiro/jitter.go

@@ -26,9 +26,9 @@ const (
 )
 
 var (
-	jitterRand     *rand.Rand
-	jitterRandOnce sync.Once
-	jitterMu       sync.Mutex
+	jitterRand      *rand.Rand
+	jitterRandOnce  sync.Once
+	jitterMu        sync.Mutex
 	lastRequestTime time.Time
 )
 

internal/auth/kiro/metrics.go

@@ -24,10 +24,10 @@ type TokenScorer struct {
 	metrics map[string]*TokenMetrics
 
 	// Scoring weights
-	successRateWeight    float64
-	quotaWeight          float64
-	latencyWeight        float64
-	lastUsedWeight       float64
+	successRateWeight     float64
+	quotaWeight           float64
+	latencyWeight         float64
+	lastUsedWeight        float64
 	failPenaltyMultiplier float64
 }
 

internal/auth/kiro/oauth.go

@@ -23,10 +23,10 @@ import (
 const (
 	// Kiro auth endpoint
 	kiroAuthEndpoint = "https://prod.us-east-1.auth.desktop.kiro.dev"
-	
+
 	// Default callback port
 	defaultCallbackPort = 9876
-	
+
 	// Auth timeout
 	authTimeout = 10 * time.Minute
 )