fix(update): 权限不足时提权替换二进制文件

安装在 /usr/local/bin（root 所有）时 update 命令报 permission denied：
- Download() 改写到 os.TempDir() 避免安装目录写权限问题
- Replace() 失败且为权限错误时自动提权（osascript/sudo mv + chmod 755）

与 uninstall 的 removePrivileged 模式一致。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: DASungta

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v0.4.4] - 2026-04-17
+
+### Bug Fixes
+
+- **`update` 命令 permission denied**：二进制安装在 `/usr/local/bin`（root 所有）时，`update` 写临时文件和替换二进制均因权限不足失败。
+  - `Download()` 改为写入系统临时目录（`os.TempDir()`），彻底绕开安装目录写权限问题
+  - `Replace()` 失败且错误为 permission denied 时，自动通过 osascript（macOS GUI）或 sudo（SSH/Linux）提权执行 `mv + chmod 755`，与 `uninstall` 的处理模式一致
+
+---
+
 ## [v0.4.3] - 2026-04-17
 
 ### Bug Fixes

cmd/trae-proxy/main.go

@@ -424,7 +424,13 @@ func updateCmd() *cobra.Command {
 
 			fmt.Printf("[update] installing to %s...\n", exePath)
 			if err := updater.Replace(exePath, tmpPath); err != nil {
-				return err
+				if !os.IsPermission(err) {
+					return err
+				}
+				fmt.Println("[update] 权限不足，正在请求系统授权...")
+				if err2 := replacePrivileged(tmpPath, exePath); err2 != nil {
+					return fmt.Errorf("replace binary: %w", err2)
+				}
 			}
 
 			fmt.Printf("[update] updated from %s to %s\n", oldVersion, tag)
@@ -758,6 +764,21 @@ func removePrivileged(path string) error {
 	}
 }
 
+func replacePrivileged(src, dest string) error {
+	switch runtime.GOOS {
+	case "darwin":
+		return privilege.RunPrivileged("mv -f " + shellQuote(src) + " " + shellQuote(dest) + " && chmod 755 " + shellQuote(dest))
+	case "linux":
+		cmd := exec.Command("sudo", "sh", "-c", "mv -f "+shellQuote(src)+" "+shellQuote(dest)+" && chmod 755 "+shellQuote(dest))
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
+	default:
+		return exec.Command("cmd", "/C", "move", "/Y", src, dest).Run()
+	}
+}
+
 func findPort443Process() int {
 	if runtime.GOOS == "windows" {
 		return 0

internal/updater/updater.go

@@ -108,9 +108,10 @@ func (u *Updater) FetchChecksum(tag, assetName string) (string, error) {
 	return "", fmt.Errorf("checksum for %q not found in checksums.txt", assetName)
 }
 
-// Download fetches the release asset to a temp file in the same directory as
-// destPath (guarantees same filesystem for atomic rename). Returns the temp path.
-func (u *Updater) Download(tag, assetName, destPath string) (string, error) {
+// Download fetches the release asset to a temp file in os.TempDir() and returns
+// the temp path. Using the system temp dir avoids permission issues when the
+// current binary lives in a root-owned directory (e.g. /usr/local/bin).
+func (u *Updater) Download(tag, assetName, _ string) (string, error) {
 	url := fmt.Sprintf("%s/%s/releases/download/%s/%s", ghBase, repo, tag, assetName)
 	resp, err := u.Client.Get(url)
 	if err != nil {
@@ -122,11 +123,11 @@ func (u *Updater) Download(tag, assetName, destPath string) (string, error) {
 		return "", fmt.Errorf("download returned HTTP %d", resp.StatusCode)
 	}
 
-	tmpPath := destPath + ".new"
-	f, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755)
+	f, err := os.CreateTemp("", "trae-proxy-*.new")
 	if err != nil {
 		return "", fmt.Errorf("create temp file: %w", err)
 	}
+	tmpPath := f.Name()
 
 	if _, err := io.Copy(f, resp.Body); err != nil {
 		f.Close()