feat(store): introduce GitTokenStore for token persistence via Git backend

- Added `GitTokenStore` to handle token storage and metadata using Git as a backing storage.
- Implemented methods for initialization, save, retrieval, listing, and deletion of auth files.
- Updated `go.mod` and `go.sum` to include new dependencies for Git integration.
- Integrated support for Git-backed configuration via `GitTokenStore`.
- Updated server logic to clone, initialize, and manage configurations from Git repositories.
- Added helper functions for verifying and synchronizing configuration files.
- Improved error handling and contextual logging for Git operations.
- Modified Dockerfile to include `config.example.yaml` for initial setup.
- Added `gitCommitter` interface to handle Git-based commit and push operations.
- Configured `Watcher` to detect and leverage Git-backed token stores.
- Implemented `commitConfigAsync` and `commitAuthAsync` methods for asynchronous change synchronization.
- Enhanced `GitTokenStore` with `CommitPaths` method to support selective file commits.

internal/api/handlers/management/handler.go

@@ -6,6 +6,7 @@ import (
 	"crypto/subtle"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -25,28 +26,33 @@ type attemptInfo struct {
 
 // Handler aggregates config reference, persistence path and helpers.
 type Handler struct {
-	cfg            *config.Config
-	configFilePath string
-	mu             sync.Mutex
-
-	attemptsMu     sync.Mutex
-	failedAttempts map[string]*attemptInfo // keyed by client IP
-	authManager    *coreauth.Manager
-	usageStats     *usage.RequestStatistics
-	tokenStore     coreauth.Store
-
-	localPassword string
+	cfg                 *config.Config
+	configFilePath      string
+	mu                  sync.Mutex
+	attemptsMu          sync.Mutex
+	failedAttempts      map[string]*attemptInfo // keyed by client IP
+	authManager         *coreauth.Manager
+	usageStats          *usage.RequestStatistics
+	tokenStore          coreauth.Store
+	localPassword       string
+	allowRemoteOverride bool
+	envSecret           string
 }
 
 // NewHandler creates a new management handler instance.
 func NewHandler(cfg *config.Config, configFilePath string, manager *coreauth.Manager) *Handler {
+	envSecret, _ := os.LookupEnv("MANAGEMENT_PASSWORD")
+	envSecret = strings.TrimSpace(envSecret)
+
 	return &Handler{
-		cfg:            cfg,
-		configFilePath: configFilePath,
-		failedAttempts: make(map[string]*attemptInfo),
-		authManager:    manager,
-		usageStats:     usage.GetRequestStatistics(),
-		tokenStore:     sdkAuth.GetTokenStore(),
+		cfg:                 cfg,
+		configFilePath:      configFilePath,
+		failedAttempts:      make(map[string]*attemptInfo),
+		authManager:         manager,
+		usageStats:          usage.GetRequestStatistics(),
+		tokenStore:          sdkAuth.GetTokenStore(),
+		allowRemoteOverride: envSecret != "",
+		envSecret:           envSecret,
 	}
 }
 
@@ -72,6 +78,19 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		clientIP := c.ClientIP()
 		localClient := clientIP == "127.0.0.1" || clientIP == "::1"
+		cfg := h.cfg
+		var (
+			allowRemote bool
+			secretHash  string
+		)
+		if cfg != nil {
+			allowRemote = cfg.RemoteManagement.AllowRemote
+			secretHash = cfg.RemoteManagement.SecretKey
+		}
+		if h.allowRemoteOverride {
+			allowRemote = true
+		}
+		envSecret := h.envSecret
 
 		fail := func() {}
 		if !localClient {
@@ -92,7 +111,7 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 			}
 			h.attemptsMu.Unlock()
 
-			if !h.cfg.RemoteManagement.AllowRemote {
+			if !allowRemote {
 				c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "remote management disabled"})
 				return
 			}
@@ -112,8 +131,7 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 				h.attemptsMu.Unlock()
 			}
 		}
-		secret := h.cfg.RemoteManagement.SecretKey
-		if secret == "" {
+		if secretHash == "" && envSecret == "" {
 			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "remote management key not set"})
 			return
 		}
@@ -149,7 +167,20 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 			}
 		}
 
-		if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
+		if envSecret != "" && subtle.ConstantTimeCompare([]byte(provided), []byte(envSecret)) == 1 {
+			if !localClient {
+				h.attemptsMu.Lock()
+				if ai := h.failedAttempts[clientIP]; ai != nil {
+					ai.count = 0
+					ai.blockedUntil = time.Time{}
+				}
+				h.attemptsMu.Unlock()
+			}
+			c.Next()
+			return
+		}
+
+		if secretHash == "" || bcrypt.CompareHashAndPassword([]byte(secretHash), []byte(provided)) != nil {
 			if !localClient {
 				fail()
 			}

internal/api/server.go

@@ -126,6 +126,9 @@ type Server struct {
 	// configFilePath is the absolute path to the YAML config file for persistence.
 	configFilePath string
 
+	// currentPath is the absolute path to the current working directory.
+	currentPath string
+
 	// management handler
 	mgmt *managementHandlers.Handler
 
@@ -134,6 +137,9 @@ type Server struct {
 	// managementRoutesEnabled controls whether management endpoints serve real handlers.
 	managementRoutesEnabled atomic.Bool
 
+	// envManagementSecret indicates whether MANAGEMENT_PASSWORD is configured.
+	envManagementSecret bool
+
 	localPassword string
 
 	keepAliveEnabled   bool
@@ -193,16 +199,26 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 	}
 
 	engine.Use(corsMiddleware())
+	wd, err := os.Getwd()
+	if err != nil {
+		wd = configFilePath
+	}
+
+	envAdminPassword, envAdminPasswordSet := os.LookupEnv("MANAGEMENT_PASSWORD")
+	envAdminPassword = strings.TrimSpace(envAdminPassword)
+	envManagementSecret := envAdminPasswordSet && envAdminPassword != ""
 
 	// Create server instance
 	s := &Server{
-		engine:         engine,
-		handlers:       handlers.NewBaseAPIHandlers(&cfg.SDKConfig, authManager),
-		cfg:            cfg,
-		accessManager:  accessManager,
-		requestLogger:  requestLogger,
-		loggerToggle:   toggle,
-		configFilePath: configFilePath,
+		engine:              engine,
+		handlers:            handlers.NewBaseAPIHandlers(&cfg.SDKConfig, authManager),
+		cfg:                 cfg,
+		accessManager:       accessManager,
+		requestLogger:       requestLogger,
+		loggerToggle:        toggle,
+		configFilePath:      configFilePath,
+		currentPath:         wd,
+		envManagementSecret: envManagementSecret,
 	}
 	s.applyAccessConfig(nil, cfg)
 	// Initialize management handler
@@ -218,9 +234,10 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		optionState.routerConfigurator(engine, s.handlers, cfg)
 	}
 
-	// Register management routes only when a secret is present at startup.
-	s.managementRoutesEnabled.Store(cfg.RemoteManagement.SecretKey != "")
-	if cfg.RemoteManagement.SecretKey != "" {
+	// Register management routes when configuration or environment secrets are available.
+	hasManagementSecret := cfg.RemoteManagement.SecretKey != "" || envManagementSecret
+	s.managementRoutesEnabled.Store(hasManagementSecret)
+	if hasManagementSecret {
 		s.registerManagementRoutes()
 	}
 
@@ -272,7 +289,6 @@ func (s *Server) setupRoutes() {
 	s.engine.GET("/", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{
 			"message": "CLI Proxy API Server",
-			"version": "1.0.0",
 			"endpoints": []string{
 				"POST /v1/chat/completions",
 				"POST /v1/completions",
@@ -441,8 +457,8 @@ func (s *Server) serveManagementControlPanel(c *gin.Context) {
 		c.AbortWithStatus(http.StatusNotFound)
 		return
 	}
-
-	filePath := managementasset.FilePath(s.configFilePath)
+	println(s.currentPath)
+	filePath := managementasset.FilePath(s.currentPath)
 	if strings.TrimSpace(filePath) == "" {
 		c.AbortWithStatus(http.StatusNotFound)
 		return
@@ -450,7 +466,7 @@ func (s *Server) serveManagementControlPanel(c *gin.Context) {
 
 	if _, err := os.Stat(filePath); err != nil {
 		if os.IsNotExist(err) {
-			go managementasset.EnsureLatestManagementHTML(context.Background(), managementasset.StaticDir(s.configFilePath), cfg.ProxyURL)
+			go managementasset.EnsureLatestManagementHTML(context.Background(), managementasset.StaticDir(s.currentPath), cfg.ProxyURL)
 			c.AbortWithStatus(http.StatusNotFound)
 			return
 		}
@@ -691,22 +707,31 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 		prevSecretEmpty = oldCfg.RemoteManagement.SecretKey == ""
 	}
 	newSecretEmpty := cfg.RemoteManagement.SecretKey == ""
-	switch {
-	case prevSecretEmpty && !newSecretEmpty:
+	if s.envManagementSecret {
 		s.registerManagementRoutes()
 		if s.managementRoutesEnabled.CompareAndSwap(false, true) {
-			log.Info("management routes enabled after secret key update")
+			log.Info("management routes enabled via MANAGEMENT_PASSWORD")
 		} else {
 			s.managementRoutesEnabled.Store(true)
 		}
-	case !prevSecretEmpty && newSecretEmpty:
-		if s.managementRoutesEnabled.CompareAndSwap(true, false) {
-			log.Info("management routes disabled after secret key removal")
-		} else {
-			s.managementRoutesEnabled.Store(false)
+	} else {
+		switch {
+		case prevSecretEmpty && !newSecretEmpty:
+			s.registerManagementRoutes()
+			if s.managementRoutesEnabled.CompareAndSwap(false, true) {
+				log.Info("management routes enabled after secret key update")
+			} else {
+				s.managementRoutesEnabled.Store(true)
+			}
+		case !prevSecretEmpty && newSecretEmpty:
+			if s.managementRoutesEnabled.CompareAndSwap(true, false) {
+				log.Info("management routes disabled after secret key removal")
+			} else {
+				s.managementRoutesEnabled.Store(false)
+			}
+		default:
+			s.managementRoutesEnabled.Store(!newSecretEmpty)
 		}
-	default:
-		s.managementRoutesEnabled.Store(!newSecretEmpty)
 	}
 
 	s.applyAccessConfig(oldCfg, cfg)
@@ -714,7 +739,7 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 	s.handlers.UpdateClients(&cfg.SDKConfig)
 
 	if !cfg.RemoteManagement.DisableControlPanel {
-		staticDir := managementasset.StaticDir(s.configFilePath)
+		staticDir := managementasset.StaticDir(s.currentPath)
 		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir, cfg.ProxyURL)
 	}
 	if s.mgmt != nil {