npm - @pixelbyte-software/pixcode - Versions diffs - 1.31.13 → 1.33.0 - Mend

@pixelbyte-software/pixcode 1.31.13 → 1.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/server/modules/providers/provider.routes.ts CHANGED Viewed

@@ -29,6 +29,7 @@ import {
   GEMINI_MODELS,
   QWEN_MODELS,
   CURSOR_MODELS,
+  OPENCODE_MODELS,
 } from '../../../shared/modelConstants.js';
 const STATIC_MODELS_BY_PROVIDER: Record<LLMProvider, Array<{ value: string; label: string }>> = {
@@ -37,6 +38,7 @@ const STATIC_MODELS_BY_PROVIDER: Record<LLMProvider, Array<{ value: string; labe
   cursor: CURSOR_MODELS.OPTIONS,
   gemini: GEMINI_MODELS.OPTIONS,
   qwen: QWEN_MODELS.OPTIONS,
+  opencode: OPENCODE_MODELS.OPTIONS,
 };
 import type { LLMProvider, McpScope, McpTransport, UpsertProviderMcpServerInput } from '@/shared/types.js';
 import { AppError, asyncHandler, createApiSuccessResponse } from '@/shared/utils.js';
@@ -68,6 +70,7 @@ const PROVIDER_INSTALL_PACKAGES: Record<LLMProvider, string | null> = {
   codex: '@openai/codex',
   gemini: '@google/gemini-cli',
   qwen: '@qwen-code/qwen-code',
+  opencode: 'opencode-ai',
   // Cursor ships via a bash script hosted at cursor.com; safer to ask
   // users to run it themselves than to pipe-to-bash from our server.
   cursor: null,
@@ -78,6 +81,7 @@ const PROVIDER_INSTALL_COMMANDS: Record<LLMProvider, string | null> = {
   codex: 'npm install -g @openai/codex',
   gemini: 'npm install -g @google/gemini-cli',
   qwen: 'npm install -g @qwen-code/qwen-code',
+  opencode: 'npm install -g opencode-ai',
   cursor: null,
 };

package/server/modules/providers/shared/provider-configs.ts CHANGED Viewed

@@ -108,6 +108,30 @@ export const PROVIDER_CONFIG_FILES: Record<string, ProviderConfigFile[]> = {
       description: 'Environment variables (DASHSCOPE_API_KEY, OPENAI_API_KEY for OpenAI-compatible routes, …).',
     },
   ],
+  opencode: [
+    {
+      id: 'config',
+      label: 'opencode.json',
+      relativePath: '.config/opencode/opencode.json',
+      format: 'json',
+      description: 'Main OpenCode config — provider, model, MCP servers, permission rules, agents.',
+    },
+    {
+      id: 'tui',
+      label: 'tui.json',
+      relativePath: '.config/opencode/tui.json',
+      format: 'json',
+      description: 'Terminal UI preferences (theme, keybinds). Separate from the main config since 2026-02.',
+    },
+    {
+      id: 'auth',
+      label: 'auth.json',
+      relativePath: '.local/share/opencode/auth.json',
+      format: 'json',
+      readonly: true,
+      description: 'Provider credentials managed by `opencode auth login`. Read-only here; editing would corrupt stored OAuth tokens.',
+    },
+  ],
 };
 export const SUPPORTED_CONFIG_PROVIDERS = Object.keys(PROVIDER_CONFIG_FILES);

package/server/routes/auth.js CHANGED Viewed

@@ -1,5 +1,9 @@
 import express from 'express';
-import bcrypt from 'bcrypt';
+// bcryptjs is a pure-JS drop-in (same hash/compare API, same output format)
+// — switching from native `bcrypt` here eliminated one C++ compile from
+// the install path. Existing $2a$/$2b$ hashes in the DB remain valid;
+// bcryptjs recognizes both prefixes so logins work across the swap.
+import bcrypt from 'bcryptjs';
 import { userDb, db } from '../database/db.js';
 import { generateToken, authenticateToken } from '../middleware/auth.js';

package/server/routes/network.js CHANGED Viewed

@@ -2,8 +2,6 @@ import express from 'express';
 import os from 'os';
 import {
-  disableUpnp,
-  enableUpnp,
   getTunnelState,
   getUpnpState,
   startTunnel,
@@ -78,26 +76,20 @@ router.get('/external', (req, res) => {
   }
 });
-router.post('/upnp', async (req, res) => {
-  const port = resolveServerPort();
-  try {
-    const state = await enableUpnp({ port });
-    res.json({ success: true, upnp: state });
-  } catch (error) {
-    console.error('UPnP enable failed:', error);
-    res.status(502).json({ error: error?.message || 'UPnP enable failed', upnp: getUpnpState() });
-  }
+// UPnP endpoints removed in v1.32 (see external-access.js for rationale).
+// Clients hitting /upnp get a 410 so the UI can show a clear "moved to
+// tunnel" hint without mistaking the absence for a transient 404.
+router.post('/upnp', (_req, res) => {
+  res.status(410).json({
+    error: 'UPnP removed in v1.32 — use cloudflared or ngrok tunnels instead',
+    upnp: getUpnpState(),
+  });
 });
-router.delete('/upnp', async (req, res) => {
-  const port = resolveServerPort();
-  try {
-    const state = await disableUpnp({ port });
-    res.json({ success: true, upnp: state });
-  } catch (error) {
-    console.error('UPnP disable failed:', error);
-    res.status(502).json({ error: error?.message || 'UPnP disable failed', upnp: getUpnpState() });
-  }
+router.delete('/upnp', (_req, res) => {
+  res.status(410).json({
+    error: 'UPnP removed in v1.32 — use cloudflared or ngrok tunnels instead',
+    upnp: getUpnpState(),
+  });
 });
 router.post('/tunnel', async (req, res) => {

package/server/services/external-access.js CHANGED Viewed

@@ -1,240 +1,171 @@
-import { spawn } from 'node:child_process';
-import { createRequire } from 'node:module';
-const requireCjs = createRequire(import.meta.url);
-// nat-upnp is CommonJS and callback-based. We wrap it in promises and keep
-// one shared client per process. The client is lazily created so importing
-// this module does not try to bind SSDP sockets at boot.
-let upnpClient = null;
-const getUpnpClient = () => {
-  if (!upnpClient) {
-    const nat = requireCjs('nat-upnp');
-    upnpClient = nat.createClient();
-  }
-  return upnpClient;
-};
-let upnpState = {
-  mapped: false,
-  port: null,
-  externalIp: null,
-  externalUrl: null,
-  error: null,
-};
-// A UPnP mapping request can hang forever if the router never answers SSDP.
-// Cap every call so the HTTP endpoint doesn't dangle — we surface a clean
-// failure and the user can try tunnel mode instead.
-const withTimeout = (promise, ms, label) =>
-  Promise.race([
-    promise,
-    new Promise((_, reject) => setTimeout(() => reject(new Error(`${label} timed out after ${ms}ms`)), ms)),
-  ]);
-const promisifyUpnp = (method, arg) =>
-  new Promise((resolve, reject) => {
-    const client = getUpnpClient();
-    const cb = (err, result) => (err ? reject(err) : resolve(result));
-    if (arg === undefined) {
-      client[method](cb);
-    } else {
-      client[method](arg, cb);
-    }
-  });
-export const enableUpnp = async ({ port }) => {
-  upnpState = { ...upnpState, error: null };
-  try {
-    await withTimeout(
-      promisifyUpnp('portMapping', {
-        public: port,
-        private: port,
-        // ttl:0 is documented as "never expire" — routers honor it differently,
-        // but it's the least surprising default. We leave renewal to the user
-        // clicking "enable" again if the router drops the lease.
-        ttl: 0,
-        description: 'Pixcode',
-        protocol: 'tcp',
-      }),
-      8000,
-      'UPnP portMapping',
-    );
-    const externalIp = await withTimeout(promisifyUpnp('externalIp'), 5000, 'UPnP externalIp');
-    upnpState = {
-      mapped: true,
-      port,
-      externalIp,
-      externalUrl: externalIp ? `http://${externalIp}:${port}` : null,
-      error: null,
-    };
-    return upnpState;
-  } catch (err) {
-    upnpState = {
-      mapped: false,
-      port,
-      externalIp: null,
-      externalUrl: null,
-      error: err?.message || String(err),
-    };
-    throw err;
-  }
-};
-export const disableUpnp = async ({ port }) => {
-  try {
-    await withTimeout(promisifyUpnp('portUnmapping', { public: port, protocol: 'tcp' }), 5000, 'UPnP portUnmapping');
-  } catch (err) {
-    upnpState = { ...upnpState, error: err?.message || String(err) };
-    throw err;
-  }
-  upnpState = { mapped: false, port: null, externalIp: null, externalUrl: null, error: null };
-  return upnpState;
-};
-export const getUpnpState = () => upnpState;
-// ============================================================================
-// Tunnel: detect cloudflared / ngrok and spawn; extract the public URL from
-// stdout. We keep a single live tunnel per process — starting a new one
-// stops the previous one to avoid dangling child processes.
-// ============================================================================
-let tunnelProc = null;
-let tunnelState = {
-  running: false,
-  binary: null, // 'cloudflared' | 'ngrok'
-  url: null,
-  error: null,
-  log: [],
-};
-const appendLog = (line) => {
-  // Tunnels can be noisy. Cap the tail we retain so a long-running tunnel
-  // doesn't grow the log into an OOM risk.
-  tunnelState.log.push(line);
-  if (tunnelState.log.length > 200) tunnelState.log.shift();
-};
-const detectBinary = async () => {
-  const candidates = ['cloudflared', 'ngrok'];
-  for (const name of candidates) {
-    try {
-      // `which` isn't guaranteed on Windows; we probe with `--version` instead
-      // so the same code path works on Unix and Windows Command Prompt.
-      await new Promise((resolve, reject) => {
-        const child = spawn(name, ['--version'], { stdio: 'ignore' });
-        child.on('error', reject);
-        child.on('exit', (code) => (code === 0 ? resolve() : reject(new Error(`exit ${code}`))));
-      });
-      return name;
-    } catch {
-      // try next
-    }
-  }
-  return null;
-};
-const cloudflareUrlRegex = /https?:\/\/[a-z0-9.-]+trycloudflare\.com/i;
-const ngrokUrlRegex = /https?:\/\/[a-z0-9.-]+\.ngrok(-free)?\.(app|io)/i;
-const buildTunnelArgs = (binary, port) => {
-  if (binary === 'cloudflared') return ['tunnel', '--url', `http://localhost:${port}`];
-  if (binary === 'ngrok') return ['http', String(port), '--log', 'stdout', '--log-format', 'logfmt'];
-  throw new Error(`Unsupported tunnel binary: ${binary}`);
-};
-const extractUrl = (binary, text) => {
-  if (binary === 'cloudflared') return text.match(cloudflareUrlRegex)?.[0] ?? null;
-  if (binary === 'ngrok') return text.match(ngrokUrlRegex)?.[0] ?? null;
-  return null;
-};
-export const startTunnel = async ({ port }) => {
-  if (tunnelProc) {
-    // Already running — tell the caller to stop it first rather than silently
-    // replacing, which would orphan the old child and lie about state.
-    throw new Error('Tunnel already running; stop it first');
-  }
-  const binary = await detectBinary();
-  if (!binary) {
-    tunnelState = { running: false, binary: null, url: null, error: 'No tunnel binary found', log: [] };
-    const err = new Error('No tunnel binary found (tried cloudflared, ngrok)');
-    err.code = 'ENOENT_TUNNEL';
-    throw err;
-  }
-  const args = buildTunnelArgs(binary, port);
-  const child = spawn(binary, args, { stdio: ['ignore', 'pipe', 'pipe'] });
-  tunnelProc = child;
-  tunnelState = { running: true, binary, url: null, error: null, log: [] };
-  const handleChunk = (chunk) => {
-    const text = chunk.toString();
-    text.split(/\r?\n/).filter(Boolean).forEach(appendLog);
-    if (!tunnelState.url) {
-      const url = extractUrl(binary, text);
-      if (url) tunnelState.url = url;
-    }
-  };
-  child.stdout.on('data', handleChunk);
-  child.stderr.on('data', handleChunk);
-  child.on('exit', (code) => {
-    tunnelProc = null;
-    tunnelState = {
-      running: false,
-      binary,
-      url: null,
-      error: code === 0 ? null : `Tunnel exited with code ${code}`,
-      log: tunnelState.log,
-    };
-  });
-  // Wait up to 15s for the public URL to appear in the log. We don't block
-  // indefinitely — if the binary is hanging on login/auth, the UI should see
-  // a clear failure instead of a spinner that never resolves.
-  const start = Date.now();
-  while (Date.now() - start < 15000) {
-    if (tunnelState.url) return tunnelState;
-    if (!tunnelProc) break; // process died early
-    // eslint-disable-next-line no-await-in-loop
-    await new Promise((r) => setTimeout(r, 250));
-  }
-  if (!tunnelState.url) {
-    // If we never captured a URL, kill the child so we don't leak it.
-    try { child.kill(); } catch { /* ignore */ }
-    tunnelProc = null;
-    tunnelState = { ...tunnelState, running: false, error: 'Tunnel did not report a public URL' };
-    throw new Error(tunnelState.error);
-  }
-  return tunnelState;
-};
-export const stopTunnel = async () => {
-  if (!tunnelProc) {
-    tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
-    return tunnelState;
-  }
-  try {
-    tunnelProc.kill();
-  } catch {
-    // already dead
-  }
-  tunnelProc = null;
-  tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
-  return tunnelState;
-};
-export const getTunnelState = () => tunnelState;
-// Explicit cleanup so the server process can shut down without leaking the
-// child tunnel process.
-process.on('exit', () => {
-  if (tunnelProc) {
-    try { tunnelProc.kill(); } catch { /* ignore */ }
-  }
-});
+import { spawn } from 'node:child_process';
+/**
+ * External-access service.
+ *
+ * Previously exposed a UPnP auto-port-forward path via `nat-upnp`, but that
+ * package pulled in the deprecated `request` / `har-validator` / `uuid@3`
+ * chain (noise at every install). Cloudflared and ngrok cover the same
+ * "publish my laptop to the internet" use case with a better security
+ * posture (no permanent port in the router firewall), so we kept the
+ * tunnel flow and dropped UPnP entirely. If UPnP becomes a user-demanded
+ * feature again we can bring it back via a maintained package like
+ * `@achingbrain/nat-port-mapper`.
+ */
+// Keep the UPnP getter + no-op togglers so callers still compile, but they
+// always report "unavailable". This is transitional — the routes layer no
+// longer surfaces them either, so nothing in the live codebase hits these.
+const UPNP_UNAVAILABLE = Object.freeze({
+  mapped: false,
+  port: null,
+  externalIp: null,
+  externalUrl: null,
+  error: 'UPnP auto-port-forward was removed in v1.32. Use cloudflared or ngrok tunnels instead.',
+});
+export const getUpnpState = () => UPNP_UNAVAILABLE;
+// ============================================================================
+// Tunnel: detect cloudflared / ngrok and spawn; extract the public URL from
+// stdout. We keep a single live tunnel per process — starting a new one
+// stops the previous one to avoid dangling child processes.
+// ============================================================================
+let tunnelProc = null;
+let tunnelState = {
+  running: false,
+  binary: null, // 'cloudflared' | 'ngrok'
+  url: null,
+  error: null,
+  log: [],
+};
+const appendLog = (line) => {
+  // Tunnels can be noisy. Cap the tail we retain so a long-running tunnel
+  // doesn't grow the log into an OOM risk.
+  tunnelState.log.push(line);
+  if (tunnelState.log.length > 200) tunnelState.log.shift();
+};
+const detectBinary = async () => {
+  const candidates = ['cloudflared', 'ngrok'];
+  for (const name of candidates) {
+    try {
+      // `which` isn't guaranteed on Windows; we probe with `--version` instead
+      // so the same code path works on Unix and Windows Command Prompt.
+      await new Promise((resolve, reject) => {
+        const child = spawn(name, ['--version'], { stdio: 'ignore' });
+        child.on('error', reject);
+        child.on('exit', (code) => (code === 0 ? resolve() : reject(new Error(`exit ${code}`))));
+      });
+      return name;
+    } catch {
+      // try next
+    }
+  }
+  return null;
+};
+const cloudflareUrlRegex = /https?:\/\/[a-z0-9.-]+trycloudflare\.com/i;
+const ngrokUrlRegex = /https?:\/\/[a-z0-9.-]+\.ngrok(-free)?\.(app|io)/i;
+const buildTunnelArgs = (binary, port) => {
+  if (binary === 'cloudflared') return ['tunnel', '--url', `http://localhost:${port}`];
+  if (binary === 'ngrok') return ['http', String(port), '--log', 'stdout', '--log-format', 'logfmt'];
+  throw new Error(`Unsupported tunnel binary: ${binary}`);
+};
+const extractUrl = (binary, text) => {
+  if (binary === 'cloudflared') return text.match(cloudflareUrlRegex)?.[0] ?? null;
+  if (binary === 'ngrok') return text.match(ngrokUrlRegex)?.[0] ?? null;
+  return null;
+};
+export const startTunnel = async ({ port }) => {
+  if (tunnelProc) {
+    // Already running — tell the caller to stop it first rather than silently
+    // replacing, which would orphan the old child and lie about state.
+    throw new Error('Tunnel already running; stop it first');
+  }
+  const binary = await detectBinary();
+  if (!binary) {
+    tunnelState = { running: false, binary: null, url: null, error: 'No tunnel binary found', log: [] };
+    const err = new Error('No tunnel binary found (tried cloudflared, ngrok)');
+    err.code = 'ENOENT_TUNNEL';
+    throw err;
+  }
+  const args = buildTunnelArgs(binary, port);
+  const child = spawn(binary, args, { stdio: ['ignore', 'pipe', 'pipe'] });
+  tunnelProc = child;
+  tunnelState = { running: true, binary, url: null, error: null, log: [] };
+  const handleChunk = (chunk) => {
+    const text = chunk.toString();
+    text.split(/\r?\n/).filter(Boolean).forEach(appendLog);
+    if (!tunnelState.url) {
+      const url = extractUrl(binary, text);
+      if (url) tunnelState.url = url;
+    }
+  };
+  child.stdout.on('data', handleChunk);
+  child.stderr.on('data', handleChunk);
+  child.on('exit', (code) => {
+    tunnelProc = null;
+    tunnelState = {
+      running: false,
+      binary,
+      url: null,
+      error: code === 0 ? null : `Tunnel exited with code ${code}`,
+      log: tunnelState.log,
+    };
+  });
+  // Wait up to 15s for the public URL to appear in the log. We don't block
+  // indefinitely — if the binary is hanging on login/auth, the UI should see
+  // a clear failure instead of a spinner that never resolves.
+  const start = Date.now();
+  while (Date.now() - start < 15000) {
+    if (tunnelState.url) return tunnelState;
+    if (!tunnelProc) break; // process died early
+    // eslint-disable-next-line no-await-in-loop
+    await new Promise((r) => setTimeout(r, 250));
+  }
+  if (!tunnelState.url) {
+    // If we never captured a URL, kill the child so we don't leak it.
+    try { child.kill(); } catch { /* ignore */ }
+    tunnelProc = null;
+    tunnelState = { ...tunnelState, running: false, error: 'Tunnel did not report a public URL' };
+    throw new Error(tunnelState.error);
+  }
+  return tunnelState;
+};
+export const stopTunnel = async () => {
+  if (!tunnelProc) {
+    tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
+    return tunnelState;
+  }
+  try {
+    tunnelProc.kill();
+  } catch {
+    // already dead
+  }
+  tunnelProc = null;
+  tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
+  return tunnelState;
+};
+export const getTunnelState = () => tunnelState;
+// Explicit cleanup so the server process can shut down without leaking the
+// child tunnel process.
+process.on('exit', () => {
+  if (tunnelProc) {
+    try { tunnelProc.kill(); } catch { /* ignore */ }
+  }
+});

package/server/services/install-jobs.js CHANGED Viewed

@@ -62,6 +62,7 @@ const PACKAGE_BINARIES = {
     '@openai/codex': 'codex',
     '@google/gemini-cli': 'gemini',
     '@qwen-code/qwen-code': 'qwen',
+    'opencode-ai': 'opencode',
 };
 /**
@@ -129,6 +130,7 @@ export function resolveProviderExecutables(env = process.env) {
         { name: 'codex', envKey: 'CODEX_CLI_PATH' },
         { name: 'gemini', envKey: 'GEMINI_CLI_PATH' },
         { name: 'qwen', envKey: 'QWEN_CLI_PATH' },
+        { name: 'opencode', envKey: 'OPENCODE_CLI_PATH' },
         { name: 'cursor-agent', envKey: 'CURSOR_CLI_PATH' },
     ];
     for (const { name, envKey } of providers) {

package/server/services/provider-credentials.js CHANGED Viewed

@@ -24,10 +24,14 @@ const CONFIG_FILE = path.join(os.homedir(), '.pixcode', 'provider-credentials.js
  * inject into the spawn env. Cursor is OAuth-only; it has no api-key entry.
  */
 export const PROVIDER_ENV_VARS = Object.freeze({
-    claude: { apiKeyEnv: 'ANTHROPIC_API_KEY', baseUrlEnv: 'ANTHROPIC_BASE_URL' },
-    codex:  { apiKeyEnv: 'OPENAI_API_KEY',    baseUrlEnv: 'OPENAI_BASE_URL' },
-    gemini: { apiKeyEnv: 'GEMINI_API_KEY',    baseUrlEnv: null },
-    qwen:   { apiKeyEnv: 'OPENAI_API_KEY',    baseUrlEnv: 'OPENAI_BASE_URL' },
+    claude:   { apiKeyEnv: 'ANTHROPIC_API_KEY', baseUrlEnv: 'ANTHROPIC_BASE_URL' },
+    codex:    { apiKeyEnv: 'OPENAI_API_KEY',    baseUrlEnv: 'OPENAI_BASE_URL' },
+    gemini:   { apiKeyEnv: 'GEMINI_API_KEY',    baseUrlEnv: null },
+    qwen:     { apiKeyEnv: 'OPENAI_API_KEY',    baseUrlEnv: 'OPENAI_BASE_URL' },
+    // OpenCode is multi-provider. Set ANTHROPIC_API_KEY by default since
+    // Claude is OpenCode Zen's recommended backend; users wanting OpenAI
+    // or OpenRouter can override via the opencode.json `provider` block.
+    opencode: { apiKeyEnv: 'ANTHROPIC_API_KEY', baseUrlEnv: 'ANTHROPIC_BASE_URL' },
 });
 async function readStore() {

package/server/services/telegram/bot.js CHANGED Viewed

@@ -1,14 +1,13 @@
 import { EventEmitter } from 'node:events';
-import { createRequire } from 'node:module';
 import { telegramConfigDb, telegramLinksDb } from '../../database/db.js';
 import { t } from './translations.js';
-// node-telegram-bot-api is a CommonJS module. Using createRequire keeps the
-// default-export interop clean across ESM/CJS boundaries.
-const requireCjs = createRequire(import.meta.url);
-const TelegramBot = requireCjs('node-telegram-bot-api');
+// Swapped in v1.32: previously `node-telegram-bot-api` which carried the
+// deprecated `request`/`har-validator`/`uuid@3` chain. TelegramHttpBot is
+// a ~100-line fetch-based replacement with the same public surface
+// (getMe / sendMessage / on / stopPolling). See telegram-http-client.js.
+import { TelegramHttpBot } from './telegram-http-client.js';
 // Pairing code TTL. Ten minutes gives a user enough time to switch apps and
 // type the code without leaving a long-lived code sitting around if they
@@ -188,7 +187,7 @@ export const startBot = async ({ token, persist = true } = {}) => {
   // 409 conflicts on every long-poll.
   if (bot) await stopBot();
-  const instance = new TelegramBot(token, { polling: true });
+  const instance = new TelegramHttpBot(token, { polling: true });
   // Validate the token first — if getMe fails we never want to persist a
   // broken token or leave the poller running.
   let me;