@pixelbyte-software/pixcode 1.33.10 → 1.33.11

package/server/utils/port-access.js

@@ -1,209 +1,209 @@
-import os from 'os';
-import fs from 'fs';
-import path from 'path';
-import readline from 'readline';
-import { execSync } from 'child_process';
-
-import { c } from './colors.js';
-
-/**
- * Tracks inbound port access decisions across runs so the server doesn't
- * re-prompt the user (on Windows/macOS) every start, and can skip work on
- * Linux where a rule has already been applied.
- */
-const STATE_FILE = path.join(os.homedir(), '.pixcode', 'port-access.json');
-
-function loadState() {
-  try {
-    return JSON.parse(fs.readFileSync(STATE_FILE, 'utf8'));
-  } catch {
-    return {};
-  }
-}
-
-function saveState(state) {
-  try {
-    fs.mkdirSync(path.dirname(STATE_FILE), { recursive: true });
-    fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
-  } catch {
-    // Persisting the decision is a nice-to-have; failure shouldn't block start.
-  }
-}
-
-/** Return all non-loopback IPv4 addresses assigned to this host. */
-export function getLanIps() {
-  const ifs = os.networkInterfaces();
-  const ips = [];
-  for (const name of Object.keys(ifs)) {
-    for (const ni of ifs[name] || []) {
-      if (ni.family === 'IPv4' && !ni.internal) ips.push(ni.address);
-    }
-  }
-  return ips;
-}
-
-function askYN(question) {
-  return new Promise((resolve) => {
-    if (!process.stdin.isTTY || !process.stdout.isTTY) {
-      resolve(null); // headless / daemon context — skip
-      return;
-    }
-    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-    rl.question(question, (answer) => {
-      rl.close();
-      const normalized = answer.trim().toLowerCase();
-      resolve(['y', 'yes', 'e', 'evet'].includes(normalized));
-    });
-  });
-}
-
-// ---------------- Linux ----------------
-
-function tryUfw(port) {
-  try {
-    execSync('command -v ufw', { stdio: 'pipe' });
-    const status = execSync('ufw status', { stdio: 'pipe', encoding: 'utf8' });
-    // UFW inactive = no rule needed; the port is already reachable.
-    if (!/active/i.test(status)) return 'inactive';
-    execSync(`sudo -n ufw allow ${port}/tcp`, { stdio: 'pipe' });
-    return 'applied';
-  } catch {
-    return null;
-  }
-}
-
-function tryFirewalld(port) {
-  try {
-    execSync('command -v firewall-cmd', { stdio: 'pipe' });
-    const state = execSync('firewall-cmd --state', { stdio: 'pipe', encoding: 'utf8' });
-    if (!/running/i.test(state)) return 'inactive';
-    execSync(`sudo -n firewall-cmd --add-port=${port}/tcp --permanent`, { stdio: 'pipe' });
-    execSync('sudo -n firewall-cmd --reload', { stdio: 'pipe' });
-    return 'applied';
-  } catch {
-    return null;
-  }
-}
-
-// ---------------- Windows ----------------
-
-function applyWindowsRule(port) {
-  const ruleName = `Pixcode-${port}`;
-  const cmd = `netsh advfirewall firewall add rule name="${ruleName}" dir=in action=allow protocol=TCP localport=${port}`;
-  try {
-    execSync(cmd, { stdio: 'pipe' });
-    return { ok: true, cmd, ruleName };
-  } catch (error) {
-    return { ok: false, cmd, ruleName, error: error.message };
-  }
-}
-
-// ---------------- macOS ----------------
-
-function macFirewallHint(port) {
-  return [
-    `${c.tip('[TIP]')}  macOS Application Firewall is per-app, not per-port.`,
-    '       If other devices can\'t connect, open:',
-    '       System Settings > Network > Firewall > Options',
-    `       and add Node.js to "Allow incoming connections" (port ${port}).`,
-  ].join('\n');
-}
-
-// ---------------- Main entry ----------------
-
-/**
- * Make sure inbound traffic can reach `port` from the local network.
- *
- * - Linux: silently try ufw/firewalld with `sudo -n` (passwordless). Skips
- *   cleanly when no firewall is running or sudo is gated — LAN access
- *   already works on most desktop distros.
- * - Windows/macOS: ask the user once; remember the decision in
- *   ~/.pixcode/port-access.json so subsequent starts stay quiet.
- *
- * All failure paths are non-fatal: the server is already listening when
- * we get here, and LAN clients on the same subnet often can reach it
- * without any firewall change.
- */
-export async function ensurePortOpen(port) {
-  const state = loadState();
-  const key = `port:${port}`;
-  const entry = state[key];
-
-  const lanIps = getLanIps();
-  if (lanIps.length) {
-    console.log(`${c.info('[INFO]')} LAN access:  ${c.bright(`http://${lanIps[0]}:${port}`)}`);
-    if (lanIps.length > 1) {
-      for (const extra of lanIps.slice(1)) {
-        console.log(`${c.dim('       also:')}  http://${extra}:${port}`);
-      }
-    }
-  }
-
-  if (entry && entry.decision === 'deny') {
-    console.log(`${c.dim('[INFO]')} Firewall prompt suppressed (previously declined). Re-enable via ~/.pixcode/port-access.json`);
-    return;
-  }
-
-  const platform = process.platform;
-
-  if (platform === 'linux') {
-    if (entry && entry.status === 'applied') return;
-    const result = tryUfw(port) || tryFirewalld(port);
-    if (result === 'applied') {
-      console.log(`${c.ok('[OK]')}   Inbound firewall rule added for port ${port}.`);
-      saveState({ ...state, [key]: { decision: 'allow', status: 'applied', via: 'linux' } });
-    } else if (result === 'inactive') {
-      console.log(`${c.dim('[INFO]')} No active firewall detected — port ${port} should be reachable.`);
-    } else {
-      console.log(`${c.tip('[TIP]')}  Couldn't auto-open port (no sudo / unsupported firewall).`);
-      console.log(`       Manual: ${c.bright(`sudo ufw allow ${port}/tcp`)}  ${c.dim('(or firewall-cmd equivalent)')}`);
-    }
-    return;
-  }
-
-  if (platform === 'win32') {
-    if (entry && entry.status === 'applied') return;
-    const approved = await askYN(
-      `${c.tip('[?]')}    Open port ${port} in Windows Firewall so other devices on your network can connect? [y/N] `,
-    );
-    if (approved === null) {
-      // No TTY — just show the manual command and move on.
-      console.log(
-        `${c.tip('[TIP]')}  To allow LAN access, run this in an elevated PowerShell:\n       ${c.bright(
-          `netsh advfirewall firewall add rule name="Pixcode-${port}" dir=in action=allow protocol=TCP localport=${port}`,
-        )}`,
-      );
-      return;
-    }
-    if (!approved) {
-      console.log(`${c.dim('[INFO]')} Skipping firewall change.`);
-      saveState({ ...state, [key]: { decision: 'deny' } });
-      return;
-    }
-    const result = applyWindowsRule(port);
-    if (result.ok) {
-      console.log(`${c.ok('[OK]')}   Firewall rule "${result.ruleName}" added.`);
-      saveState({ ...state, [key]: { decision: 'allow', status: 'applied', via: 'windows' } });
-    } else {
-      console.log(`${c.tip('[TIP]')}  Adding the rule needs Administrator. Run this in an elevated PowerShell:`);
-      console.log(`       ${c.bright(result.cmd)}`);
-      saveState({ ...state, [key]: { decision: 'allow', status: 'manual' } });
-    }
-    return;
-  }
-
-  if (platform === 'darwin') {
-    if (entry && entry.status) return;
-    const approved = await askYN(
-      `${c.tip('[?]')}    Allow inbound connections on port ${port} through macOS firewall? [y/N] `,
-    );
-    if (approved === null) return;
-    if (!approved) {
-      console.log(`${c.dim('[INFO]')} Skipping firewall hint.`);
-      saveState({ ...state, [key]: { decision: 'deny' } });
-      return;
-    }
-    console.log(macFirewallHint(port));
-    saveState({ ...state, [key]: { decision: 'allow', status: 'manual', via: 'macos' } });
-  }
-}
+import os from 'os';
+import fs from 'fs';
+import path from 'path';
+import readline from 'readline';
+import { execSync } from 'child_process';
+
+import { c } from './colors.js';
+
+/**
+ * Tracks inbound port access decisions across runs so the server doesn't
+ * re-prompt the user (on Windows/macOS) every start, and can skip work on
+ * Linux where a rule has already been applied.
+ */
+const STATE_FILE = path.join(os.homedir(), '.pixcode', 'port-access.json');
+
+function loadState() {
+  try {
+    return JSON.parse(fs.readFileSync(STATE_FILE, 'utf8'));
+  } catch {
+    return {};
+  }
+}
+
+function saveState(state) {
+  try {
+    fs.mkdirSync(path.dirname(STATE_FILE), { recursive: true });
+    fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
+  } catch {
+    // Persisting the decision is a nice-to-have; failure shouldn't block start.
+  }
+}
+
+/** Return all non-loopback IPv4 addresses assigned to this host. */
+export function getLanIps() {
+  const ifs = os.networkInterfaces();
+  const ips = [];
+  for (const name of Object.keys(ifs)) {
+    for (const ni of ifs[name] || []) {
+      if (ni.family === 'IPv4' && !ni.internal) ips.push(ni.address);
+    }
+  }
+  return ips;
+}
+
+function askYN(question) {
+  return new Promise((resolve) => {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      resolve(null); // headless / daemon context — skip
+      return;
+    }
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (answer) => {
+      rl.close();
+      const normalized = answer.trim().toLowerCase();
+      resolve(['y', 'yes', 'e', 'evet'].includes(normalized));
+    });
+  });
+}
+
+// ---------------- Linux ----------------
+
+function tryUfw(port) {
+  try {
+    execSync('command -v ufw', { stdio: 'pipe' });
+    const status = execSync('ufw status', { stdio: 'pipe', encoding: 'utf8' });
+    // UFW inactive = no rule needed; the port is already reachable.
+    if (!/active/i.test(status)) return 'inactive';
+    execSync(`sudo -n ufw allow ${port}/tcp`, { stdio: 'pipe' });
+    return 'applied';
+  } catch {
+    return null;
+  }
+}
+
+function tryFirewalld(port) {
+  try {
+    execSync('command -v firewall-cmd', { stdio: 'pipe' });
+    const state = execSync('firewall-cmd --state', { stdio: 'pipe', encoding: 'utf8' });
+    if (!/running/i.test(state)) return 'inactive';
+    execSync(`sudo -n firewall-cmd --add-port=${port}/tcp --permanent`, { stdio: 'pipe' });
+    execSync('sudo -n firewall-cmd --reload', { stdio: 'pipe' });
+    return 'applied';
+  } catch {
+    return null;
+  }
+}
+
+// ---------------- Windows ----------------
+
+function applyWindowsRule(port) {
+  const ruleName = `Pixcode-${port}`;
+  const cmd = `netsh advfirewall firewall add rule name="${ruleName}" dir=in action=allow protocol=TCP localport=${port}`;
+  try {
+    execSync(cmd, { stdio: 'pipe' });
+    return { ok: true, cmd, ruleName };
+  } catch (error) {
+    return { ok: false, cmd, ruleName, error: error.message };
+  }
+}
+
+// ---------------- macOS ----------------
+
+function macFirewallHint(port) {
+  return [
+    `${c.tip('[TIP]')}  macOS Application Firewall is per-app, not per-port.`,
+    '       If other devices can\'t connect, open:',
+    '       System Settings > Network > Firewall > Options',
+    `       and add Node.js to "Allow incoming connections" (port ${port}).`,
+  ].join('\n');
+}
+
+// ---------------- Main entry ----------------
+
+/**
+ * Make sure inbound traffic can reach `port` from the local network.
+ *
+ * - Linux: silently try ufw/firewalld with `sudo -n` (passwordless). Skips
+ *   cleanly when no firewall is running or sudo is gated — LAN access
+ *   already works on most desktop distros.
+ * - Windows/macOS: ask the user once; remember the decision in
+ *   ~/.pixcode/port-access.json so subsequent starts stay quiet.
+ *
+ * All failure paths are non-fatal: the server is already listening when
+ * we get here, and LAN clients on the same subnet often can reach it
+ * without any firewall change.
+ */
+export async function ensurePortOpen(port) {
+  const state = loadState();
+  const key = `port:${port}`;
+  const entry = state[key];
+
+  const lanIps = getLanIps();
+  if (lanIps.length) {
+    console.log(`${c.info('[INFO]')} LAN access:  ${c.bright(`http://${lanIps[0]}:${port}`)}`);
+    if (lanIps.length > 1) {
+      for (const extra of lanIps.slice(1)) {
+        console.log(`${c.dim('       also:')}  http://${extra}:${port}`);
+      }
+    }
+  }
+
+  if (entry && entry.decision === 'deny') {
+    console.log(`${c.dim('[INFO]')} Firewall prompt suppressed (previously declined). Re-enable via ~/.pixcode/port-access.json`);
+    return;
+  }
+
+  const platform = process.platform;
+
+  if (platform === 'linux') {
+    if (entry && entry.status === 'applied') return;
+    const result = tryUfw(port) || tryFirewalld(port);
+    if (result === 'applied') {
+      console.log(`${c.ok('[OK]')}   Inbound firewall rule added for port ${port}.`);
+      saveState({ ...state, [key]: { decision: 'allow', status: 'applied', via: 'linux' } });
+    } else if (result === 'inactive') {
+      console.log(`${c.dim('[INFO]')} No active firewall detected — port ${port} should be reachable.`);
+    } else {
+      console.log(`${c.tip('[TIP]')}  Couldn't auto-open port (no sudo / unsupported firewall).`);
+      console.log(`       Manual: ${c.bright(`sudo ufw allow ${port}/tcp`)}  ${c.dim('(or firewall-cmd equivalent)')}`);
+    }
+    return;
+  }
+
+  if (platform === 'win32') {
+    if (entry && entry.status === 'applied') return;
+    const approved = await askYN(
+      `${c.tip('[?]')}    Open port ${port} in Windows Firewall so other devices on your network can connect? [y/N] `,
+    );
+    if (approved === null) {
+      // No TTY — just show the manual command and move on.
+      console.log(
+        `${c.tip('[TIP]')}  To allow LAN access, run this in an elevated PowerShell:\n       ${c.bright(
+          `netsh advfirewall firewall add rule name="Pixcode-${port}" dir=in action=allow protocol=TCP localport=${port}`,
+        )}`,
+      );
+      return;
+    }
+    if (!approved) {
+      console.log(`${c.dim('[INFO]')} Skipping firewall change.`);
+      saveState({ ...state, [key]: { decision: 'deny' } });
+      return;
+    }
+    const result = applyWindowsRule(port);
+    if (result.ok) {
+      console.log(`${c.ok('[OK]')}   Firewall rule "${result.ruleName}" added.`);
+      saveState({ ...state, [key]: { decision: 'allow', status: 'applied', via: 'windows' } });
+    } else {
+      console.log(`${c.tip('[TIP]')}  Adding the rule needs Administrator. Run this in an elevated PowerShell:`);
+      console.log(`       ${c.bright(result.cmd)}`);
+      saveState({ ...state, [key]: { decision: 'allow', status: 'manual' } });
+    }
+    return;
+  }
+
+  if (platform === 'darwin') {
+    if (entry && entry.status) return;
+    const approved = await askYN(
+      `${c.tip('[?]')}    Allow inbound connections on port ${port} through macOS firewall? [y/N] `,
+    );
+    if (approved === null) return;
+    if (!approved) {
+      console.log(`${c.dim('[INFO]')} Skipping firewall hint.`);
+      saveState({ ...state, [key]: { decision: 'deny' } });
+      return;
+    }
+    console.log(macFirewallHint(port));
+    saveState({ ...state, [key]: { decision: 'allow', status: 'manual', via: 'macos' } });
+  }
+}

package/scripts/rest-sweep.mjs

@@ -1,93 +0,0 @@
-// REST sweep - verifies every spec endpoint actually exists
-import fs from 'node:fs';
-import os from 'node:os';
-import path from 'node:path';
-import YAML from 'yaml';
-
-const KEY = (fs.readFileSync('.env','utf8').match(/^PIXCODE_TEST_API_KEY=(\S+)/m) || [])[1];
-if (!KEY) { console.error('no key'); process.exit(1); }
-
-const BASE = 'http://localhost:3001';
-const PROJECT = 'c--Users-ALICOMERT-Documents-PROJELER-airforce';
-const SESSION = '5c89f06c-352a-4c86-ae1a-258e2bfcb321';
-
-const subs = {
-  '{provider}': 'claude',
-  '{projectName}': PROJECT,
-  '{sessionId}': SESSION,
-  '{keyId}': '999999',
-  '{jobId}': 'nonexistent',
-  '{name}': 'test-mcp',
-  '{fileId}': 'auth.json',
-};
-
-const spec = YAML.parse(fs.readFileSync('public/openapi.yaml','utf8'));
-const endpoints = [];
-for (const [p, ops] of Object.entries(spec.paths)) {
-  for (const [m, op] of Object.entries(ops)) {
-    if (!['get','post','put','patch','delete'].includes(m)) continue;
-    const isPublic = op.security && op.security.length === 0;
-    endpoints.push({ method: m.toUpperCase(), path: p, isPublic });
-  }
-}
-
-// SKIP destructive endpoints — we know these exist (they killed the server last run)
-// We'll mark them as EXISTS based on observed prior 200 response.
-const SKIP = new Set([
-  'POST /api/system/update',
-  'POST /api/system/restart',
-  'POST /api/auth/logout', // would invalidate test key potentially
-]);
-
-function resolvePath(p) {
-  let out = p;
-  for (const [k,v] of Object.entries(subs)) out = out.replaceAll(k, v);
-  // OpenAPI escapes ":" as "\:" — strip backslashes for actual URL
-  out = out.replace(/\\:/g, ':');
-  return out;
-}
-
-const results = [];
-
-for (const ep of endpoints) {
-  const key = `${ep.method} ${ep.path}`;
-  if (SKIP.has(key)) {
-    results.push({ ...ep, skipped: true, status: 200, text: 'SKIPPED (destructive, observed 200 in prior run)' });
-    console.log(`${ep.method.padEnd(6)} SKIP ${ep.isPublic?'PUB':'AUTH'} ${ep.path}`);
-    continue;
-  }
-  const url = BASE + resolvePath(ep.path);
-  const headers = {};
-  if (!ep.isPublic) headers.Authorization = `Bearer ${KEY}`;
-  let body;
-  if (['POST','PUT','PATCH'].includes(ep.method)) {
-    body = '{}';
-    headers['Content-Type'] = 'application/json';
-  }
-  let status, text = '';
-  try {
-    const ctl = new AbortController();
-    const t = setTimeout(() => ctl.abort(), 4000);
-    const res = await fetch(url, { method: ep.method, headers, body, signal: ctl.signal });
-    clearTimeout(t);
-    status = res.status;
-    text = await res.text();
-  } catch (e) {
-    status = 0;
-    text = `FETCH_ERR:${e.message}`;
-  }
-  let parsed = null;
-  try { parsed = JSON.parse(text); } catch {}
-  const isGhost = status === 404 && parsed?.error?.code === 'ROUTE_NOT_FOUND';
-  results.push({ ...ep, url, status, text: text.slice(0, 250), parsed, isGhost });
-  console.log(`${ep.method.padEnd(6)} ${String(status).padEnd(4)} ${ep.isPublic?'PUB':'AUTH'} ${ep.path}${isGhost?'  GHOST':''}${status>=500?'  5XX':''}${ep.isPublic && status===401?'  AUTH_BUG':''}`);
-}
-
-const out = path.join(os.tmpdir(), 'sweep-results.json');
-fs.writeFileSync(out, JSON.stringify(results, null, 2));
-console.log(`\nSaved: ${out}`);
-console.log(`Total: ${results.length}`);
-console.log(`Ghosts: ${results.filter(r=>r.isGhost).length}`);
-console.log(`5xx: ${results.filter(r=>r.status>=500).length}`);
-console.log(`401 on public: ${results.filter(r=>r.isPublic && r.status===401).length}`);
-console.log(`200 on authed without auth - n/a (we auth all authed)`);