fix(mitm): add Linux cert install and skip sudo password when root

[NekoMonci12]

Summary

Add Linux certificate management via update-ca-certificates for Docker support. Skip sudo password validation when running as root, matching the existing cli-tools route behavior.

Turbopack resolveAlias (@/mitm/manager → manager.stub.ts) was designed
for build-time safety but Next.js applies aliases to ALL imports
including dynamic ones. This caused await import("@/mitm/manager") at
runtime to load the stub, which silently returned fake {running: true}
without spawning the MITM proxy. The UI showed "MITM proxy started"
but nothing was actually running.

Fix introduces a two-path design:

• @/mitm/manager → stub (build-time, safe for Turbopack)
• @/mitm/manager.runtime → real manager (runtime, bypasses alias)

Route handlers now dynamic-import from manager.runtime, which
re-exports from ./manager and does NOT match the alias pattern.

Additional fixes:

• Make stub throw explicit errors at runtime so misconfiguration is
  immediately visible instead of silently faking success
• Add server.cjs to outputFileTracingIncludes (NFT trace) and Dockerfile
  COPY so the MITM server binary exists in standalone/Docker output

Related Issues

• Closes #
• Related to #

Validation

• npm run lint
• npm run test:unit
• npm run test:coverage
• Coverage is still >= 60% for statements, lines, functions, and branches
• SonarQube PR analysis is green or any remaining issues are explicitly documented below

Tests Added Or Updated

• List every changed or added automated test file.
• If no production code changed, state that here.

Coverage Notes

• If this PR changes src/, open-sse/, electron/, or bin/, explain which tests cover the change.
• If coverage moved down in any touched file, explain why and what follow-up task will recover it.

Reviewer Notes

• Call out any risky areas, migrations, feature flags, or manual validation that reviewers should know about.

[gemini-code-assist]

Code Review

This pull request introduces Linux support for MITM certificate management and allows root users on non-Windows platforms to bypass the sudo password requirement. The review feedback suggests optimizing the Linux certificate installation process by combining multiple sudo commands into a single shell execution to reduce password prompts. Additionally, it recommends refining error handling to be platform-appropriate, avoiding the aggressive --fresh flag during certificate updates to prevent side effects, and ensuring original error messages are preserved for better debugging.

[gemini-code-assist]

Executing multiple sequential sudo commands is inefficient and will result in multiple password prompts if the user is not running as root and sudo is configured to require a password for each invocation. It is better to combine these into a single command string executed via sh -c to ensure only one authorization is needed.

Suggested change

	await execFileWithPassword("sudo", ["-S", "mkdir", "-p", LINUX_CA_DIR], sudoPassword);
	await execFileWithPassword("sudo", ["-S", "cp", certPath, LINUX_CERT_DEST], sudoPassword);
	await execFileWithPassword("sudo", ["-S", "update-ca-certificates"], sudoPassword);
	const command = `mkdir -p "${LINUX_CA_DIR}" && cp "${certPath}" "${LINUX_CERT_DEST}" && update-ca-certificates`;
	await execFileWithPassword("sudo", ["-S", "sh", "-c", command], sudoPassword);

[gemini-code-assist]

The check for the string "canceled" in the error message is specific to macOS security tools and is unlikely to be triggered by standard Linux sudo or system commands. On Linux, failures are more likely to be due to incorrect passwords or permission issues. Consider refining the error handling to be platform-appropriate or more generic.

[gemini-code-assist]

The --fresh flag for update-ca-certificates is quite aggressive as it re-generates all symlinks in /etc/ssl/certs and removes any that are broken. While it ensures the removed certificate is fully purged, it may have unintended side effects on other manually managed certificates in the system store. A standard update-ca-certificates call is usually sufficient after deleting the source file.

Suggested change

	await execFileWithPassword("sudo", ["-S", "update-ca-certificates", "--fresh"], sudoPassword);
	await execFileWithPassword("sudo", ["-S", "update-ca-certificates"], sudoPassword);

[gemini-code-assist]

The actual error message is being swallowed here, which makes debugging difficult if the uninstallation fails. It is better to include the original error message in the thrown Error.

Suggested change

	throw new Error("Failed to uninstall certificate");
	throw new Error(`Failed to uninstall certificate: ${getErrorMessage(err)}`);

[diegosouzapw]

Thank you @NekoMonci12 for your contribution! This has been reviewed and is now merged into release/v3.8.0 for the upcoming release. Amazing work!