@pixelbyte-software/pixcode 1.33.8 → 1.33.10

package/server/qwen-response-handler.js

@@ -1,73 +1,73 @@
-// Qwen Code Response Handler — stream-json parser.
-// Qwen Code is a fork of Gemini CLI and emits the same NDJSON stream-json
-// event shape (type: init | message | tool_use | tool_result | result | error).
-// This handler is intentionally a structural twin of gemini-response-handler;
-// the split keeps provider normalization clean and lets the two evolve
-// independently if Qwen's protocol ever diverges.
-import { sessionsService } from './modules/providers/services/sessions.service.js';
-
-class QwenResponseHandler {
-  constructor(ws, options = {}) {
-    this.ws = ws;
-    this.buffer = '';
-    this.onContentFragment = options.onContentFragment || null;
-    this.onInit = options.onInit || null;
-    this.onToolUse = options.onToolUse || null;
-    this.onToolResult = options.onToolResult || null;
-  }
-
-  processData(data) {
-    this.buffer += data;
-
-    const lines = this.buffer.split('\n');
-    this.buffer = lines.pop() || '';
-
-    for (const line of lines) {
-      if (!line.trim()) continue;
-      try {
-        const event = JSON.parse(line);
-        this.handleEvent(event);
-      } catch {
-        // Not a JSON line — debug output or CLI warning, ignore.
-      }
-    }
-  }
-
-  handleEvent(event) {
-    const sid = typeof this.ws.getSessionId === 'function' ? this.ws.getSessionId() : null;
-
-    if (event.type === 'init') {
-      if (this.onInit) this.onInit(event);
-      return;
-    }
-
-    if (event.type === 'message' && event.role === 'assistant') {
-      const content = event.content || '';
-      if (this.onContentFragment && content) this.onContentFragment(content);
-    } else if (event.type === 'tool_use' && this.onToolUse) {
-      this.onToolUse(event);
-    } else if (event.type === 'tool_result' && this.onToolResult) {
-      this.onToolResult(event);
-    }
-
-    const normalized = sessionsService.normalizeMessage('qwen', event, sid);
-    for (const msg of normalized) {
-      this.ws.send(msg);
-    }
-  }
-
-  forceFlush() {
-    if (this.buffer.trim()) {
-      try {
-        const event = JSON.parse(this.buffer);
-        this.handleEvent(event);
-      } catch { /* ignore */ }
-    }
-  }
-
-  destroy() {
-    this.buffer = '';
-  }
-}
-
-export default QwenResponseHandler;
+// Qwen Code Response Handler — stream-json parser.
+// Qwen Code is a fork of Gemini CLI and emits the same NDJSON stream-json
+// event shape (type: init | message | tool_use | tool_result | result | error).
+// This handler is intentionally a structural twin of gemini-response-handler;
+// the split keeps provider normalization clean and lets the two evolve
+// independently if Qwen's protocol ever diverges.
+import { sessionsService } from './modules/providers/services/sessions.service.js';
+
+class QwenResponseHandler {
+  constructor(ws, options = {}) {
+    this.ws = ws;
+    this.buffer = '';
+    this.onContentFragment = options.onContentFragment || null;
+    this.onInit = options.onInit || null;
+    this.onToolUse = options.onToolUse || null;
+    this.onToolResult = options.onToolResult || null;
+  }
+
+  processData(data) {
+    this.buffer += data;
+
+    const lines = this.buffer.split('\n');
+    this.buffer = lines.pop() || '';
+
+    for (const line of lines) {
+      if (!line.trim()) continue;
+      try {
+        const event = JSON.parse(line);
+        this.handleEvent(event);
+      } catch {
+        // Not a JSON line — debug output or CLI warning, ignore.
+      }
+    }
+  }
+
+  handleEvent(event) {
+    const sid = typeof this.ws.getSessionId === 'function' ? this.ws.getSessionId() : null;
+
+    if (event.type === 'init') {
+      if (this.onInit) this.onInit(event);
+      return;
+    }
+
+    if (event.type === 'message' && event.role === 'assistant') {
+      const content = event.content || '';
+      if (this.onContentFragment && content) this.onContentFragment(content);
+    } else if (event.type === 'tool_use' && this.onToolUse) {
+      this.onToolUse(event);
+    } else if (event.type === 'tool_result' && this.onToolResult) {
+      this.onToolResult(event);
+    }
+
+    const normalized = sessionsService.normalizeMessage('qwen', event, sid);
+    for (const msg of normalized) {
+      this.ws.send(msg);
+    }
+  }
+
+  forceFlush() {
+    if (this.buffer.trim()) {
+      try {
+        const event = JSON.parse(this.buffer);
+        this.handleEvent(event);
+      } catch { /* ignore */ }
+    }
+  }
+
+  destroy() {
+    this.buffer = '';
+  }
+}
+
+export default QwenResponseHandler;

package/server/routes/agent.js

@@ -10,6 +10,8 @@ import { queryClaudeSDK } from '../claude-sdk.js';
 import { spawnCursor } from '../cursor-cli.js';
 import { queryCodex } from '../openai-codex.js';
 import { spawnGemini } from '../gemini-cli.js';
+import { spawnQwen } from '../qwen-code-cli.js';
+import { spawnOpencode } from '../opencode-cli.js';
 import { Octokit } from '@octokit/rest';
 import { CLAUDE_MODELS, CURSOR_MODELS, CODEX_MODELS } from '../../shared/modelConstants.js';
 import { IS_PLATFORM } from '../constants/config.js';
@@ -44,11 +46,19 @@ const validateExternalApiKey = (req, res, next) => {
     }
   }
 
-  // Self-hosted mode: Validate API key from header or query parameter
-  const apiKey = req.headers['x-api-key'] || req.query.apiKey;
+  // Self-hosted mode: validate API key from any of the supported transports.
+  //   - Authorization: Bearer ck_... (added so /api/agent accepts the same
+  //     auth shape as the rest of the API, per the auth-unify in this turn)
+  //   - X-API-Key: ck_... (legacy, kept working)
+  //   - ?apiKey=ck_... (EventSource workaround)
+  const authHeader = req.headers['authorization'];
+  const bearer = authHeader && authHeader.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+  const apiKey = (bearer && bearer.startsWith('ck_') ? bearer : null)
+    || req.headers['x-api-key']
+    || (typeof req.query.apiKey === 'string' ? req.query.apiKey : null);
 
   if (!apiKey) {
-    return res.status(401).json({ error: 'API key required' });
+    return res.status(401).json({ error: 'API key required (Authorization: Bearer ck_..., X-API-Key, or ?apiKey=)' });
   }
 
   const user = apiKeysDb.validateApiKey(apiKey);
@@ -529,74 +539,129 @@ class ResponseCollector {
   }
 
   /**
-   * Get filtered assistant messages only
+   * Get filtered assistant messages.
+   *
+   * Two message shapes are observed in the wild:
+   *   1. Legacy Claude-only:  { type:'claude-response', data:{ type:'assistant', message:{...} } }
+   *   2. Unified normalized:  { kind:'stream_delta'|'tool_use'|... , provider, content, ... }
+   *      (every provider after the v1.30+ unified-message migration emits this)
+   *
+   * Pre-fix this method only matched (1), so qwen / gemini / opencode / codex
+   * runs all returned an empty array even when the provider streamed real
+   * text. Now it builds:
+   *   - one synthetic assistant entry per chat turn from concatenated
+   *     `stream_delta` content (boundary = `stream_end` or `complete`)
+   *   - tool_use / tool_result entries pass through verbatim
    */
   getAssistantMessages() {
-    const assistantMessages = [];
+    const out = [];
+    let textBuffer = '';
+
+    const flushText = () => {
+      if (!textBuffer) return;
+      out.push({
+        type: 'assistant',
+        message: {
+          role: 'assistant',
+          content: [{ type: 'text', text: textBuffer }],
+        },
+      });
+      textBuffer = '';
+    };
 
-    for (const msg of this.messages) {
-      // Skip initial status message
-      if (msg && msg.type === 'status') {
+    for (const raw of this.messages) {
+      const data = typeof raw === 'string'
+        ? (() => { try { return JSON.parse(raw); } catch { return null; } })()
+        : raw;
+      if (!data) continue;
+      if (data.type === 'status') continue;
+
+      // Unified shape (every modern provider).
+      // - `stream_delta`: incremental text chunk (most providers)
+      // - `text`: full text part for one assistant turn (Claude SDK + history reads)
+      // - `thinking`: reasoning blocks; we coalesce as plain text so the API caller sees something
+      if ((data.kind === 'stream_delta' || data.kind === 'text' || data.kind === 'thinking')
+          && (typeof data.content === 'string' || Array.isArray(data.content))) {
+        const text = typeof data.content === 'string'
+          ? data.content
+          : data.content.map((part) => (typeof part === 'string' ? part : (part?.text || ''))).join('');
+        textBuffer += text;
+        continue;
+      }
+      if (data.kind === 'stream_end' || data.kind === 'complete') {
+        flushText();
+        continue;
+      }
+      if (data.kind === 'tool_use') {
+        flushText();
+        out.push({ type: 'tool_use', id: data.toolId, name: data.toolName, input: data.toolInput });
+        continue;
+      }
+      if (data.kind === 'tool_result') {
+        out.push({ type: 'tool_result', tool_use_id: data.toolId, content: data.content, is_error: data.isError });
+        continue;
+      }
+      if (data.kind === 'error' && typeof data.content === 'string') {
+        flushText();
+        out.push({ type: 'error', content: data.content });
         continue;
       }
 
-      // Handle JSON strings
-      if (typeof msg === 'string') {
-        try {
-          const parsed = JSON.parse(msg);
-          // Only include claude-response messages with assistant type
-          if (parsed.type === 'claude-response' && parsed.data && parsed.data.type === 'assistant') {
-            assistantMessages.push(parsed.data);
-          }
-        } catch (e) {
-          // Not JSON, skip
-        }
+      // Legacy Claude shape — kept so old SDK builds still report cleanly.
+      if (data.type === 'claude-response' && data.data && data.data.type === 'assistant') {
+        flushText();
+        out.push(data.data);
       }
     }
-
-    return assistantMessages;
+    flushText();
+    return out;
   }
 
   /**
-   * Calculate total tokens from all messages
+   * Calculate total tokens from all messages.
+   *
+   * Two usage shapes observed:
+   *   1. Legacy Claude:        { type:'claude-response', data:{ message:{ usage:{ input_tokens, output_tokens, cache_*_input_tokens } } } }
+   *   2. Unified `complete`/   { kind:'complete'|'stream_end', usage:{ input, output, cacheRead?, cacheCreation? }, cost? }
+   *      `stream_end` events
    */
   getTotalTokens() {
-    let totalInput = 0;
-    let totalOutput = 0;
-    let totalCacheRead = 0;
-    let totalCacheCreation = 0;
-
-    for (const msg of this.messages) {
-      let data = msg;
-
-      // Parse if string
-      if (typeof msg === 'string') {
-        try {
-          data = JSON.parse(msg);
-        } catch (e) {
-          continue;
-        }
+    let inputTokens = 0;
+    let outputTokens = 0;
+    let cacheReadTokens = 0;
+    let cacheCreationTokens = 0;
+
+    for (const raw of this.messages) {
+      const data = typeof raw === 'string'
+        ? (() => { try { return JSON.parse(raw); } catch { return null; } })()
+        : raw;
+      if (!data) continue;
+
+      // Unified shape
+      if (data.usage && typeof data.usage === 'object') {
+        inputTokens += data.usage.input || data.usage.inputTokens || data.usage.input_tokens || 0;
+        outputTokens += data.usage.output || data.usage.outputTokens || data.usage.output_tokens || 0;
+        cacheReadTokens += data.usage.cacheRead || data.usage.cache_read_input_tokens || 0;
+        cacheCreationTokens += data.usage.cacheCreation || data.usage.cache_creation_input_tokens || 0;
+        continue;
       }
 
-      // Extract usage from claude-response messages
-      if (data && data.type === 'claude-response' && data.data) {
-        const msgData = data.data;
-        if (msgData.message && msgData.message.usage) {
-          const usage = msgData.message.usage;
-          totalInput += usage.input_tokens || 0;
-          totalOutput += usage.output_tokens || 0;
-          totalCacheRead += usage.cache_read_input_tokens || 0;
-          totalCacheCreation += usage.cache_creation_input_tokens || 0;
-        }
+      // Legacy Claude
+      if (data.type === 'claude-response' && data.data && data.data.message && data.data.message.usage) {
+        const u = data.data.message.usage;
+        inputTokens += u.input_tokens || 0;
+        outputTokens += u.output_tokens || 0;
+        cacheReadTokens += u.cache_read_input_tokens || 0;
+        cacheCreationTokens += u.cache_creation_input_tokens || 0;
       }
     }
 
     return {
-      inputTokens: totalInput,
-      outputTokens: totalOutput,
-      cacheReadTokens: totalCacheRead,
-      cacheCreationTokens: totalCacheCreation,
-      totalTokens: totalInput + totalOutput + totalCacheRead + totalCacheCreation
+      inputTokens,
+      outputTokens,
+      cacheReadTokens,
+      cacheCreationTokens,
+      totalTokens: inputTokens + outputTokens + cacheReadTokens + cacheCreationTokens,
     };
   }
 }
@@ -859,8 +924,8 @@ router.post('/', validateExternalApiKey, async (req, res) => {
     return res.status(400).json({ error: 'message is required' });
   }
 
-  if (!['claude', 'cursor', 'codex', 'gemini'].includes(provider)) {
-    return res.status(400).json({ error: 'provider must be "claude", "cursor", "codex", or "gemini"' });
+  if (!['claude', 'cursor', 'codex', 'gemini', 'qwen', 'opencode'].includes(provider)) {
+    return res.status(400).json({ error: 'provider must be one of: claude, cursor, codex, gemini, qwen, opencode' });
   }
 
   // Validate GitHub branch/PR creation requirements
@@ -985,6 +1050,27 @@ router.post('/', validateExternalApiKey, async (req, res) => {
         model: model,
         skipPermissions: true // CLI mode bypasses permissions
       }, writer);
+    } else if (provider === 'qwen') {
+      console.log('🐉 Starting Qwen Code CLI session');
+
+      await spawnQwen(message.trim(), {
+        projectPath: finalProjectPath,
+        cwd: finalProjectPath,
+        sessionId: sessionId || null,
+        model: model,
+        skipPermissions: true,
+      }, writer);
+    } else if (provider === 'opencode') {
+      console.log('🅾️  Starting OpenCode CLI session');
+
+      await spawnOpencode(message.trim(), {
+        projectPath: finalProjectPath,
+        cwd: finalProjectPath,
+        sessionId: sessionId || null,
+        model: model,
+        permissionMode: 'bypassPermissions',
+        toolsSettings: { allowPatterns: [], denyPatterns: [], skipPermissions: true },
+      }, writer);
     }
 
     // Handle GitHub branch and PR creation after successful agent completion
@@ -1177,13 +1263,30 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       const assistantMessages = writer.getAssistantMessages();
       const tokenSummary = writer.getTotalTokens();
 
+      // Promote provider-side errors (`writer.send({ kind:'error', ... })`)
+      // to the response envelope. Without this, providers like Codex —
+      // whose SDK swallows throws and only emits an error message — left
+      // callers with `{ success:true, messages:[] }`, indistinguishable
+      // from a quiet success. Now: any error event => success:false and
+      // the human-readable text on `error`.
+      const errorEntry = assistantMessages.find((m) => m.type === 'error');
+      const hasAssistantText = assistantMessages.some(
+        (m) => m.type === 'assistant' && m.message?.content?.some?.((p) => p.type === 'text' && p.text)
+      );
+      const succeeded = !errorEntry && (hasAssistantText || assistantMessages.some((m) => m.type === 'tool_use' || m.type === 'tool_result'));
+
       const response = {
-        success: true,
+        success: succeeded,
         sessionId: writer.getSessionId(),
         messages: assistantMessages,
         tokens: tokenSummary,
         projectPath: finalProjectPath
       };
+      if (errorEntry) {
+        response.error = errorEntry.content;
+      } else if (!succeeded) {
+        response.error = 'Provider returned no assistant text. Check backend log for details.';
+      }
 
       // Add branch/PR info if created
       if (branchInfo) {
@@ -1193,7 +1296,7 @@ router.post('/', validateExternalApiKey, async (req, res) => {
         response.pullRequest = prInfo;
       }
 
-      res.json(response);
+      res.status(succeeded ? 200 : 502).json(response);
     }
 
     // Clean up if requested
@@ -1234,9 +1337,26 @@ router.post('/', validateExternalApiKey, async (req, res) => {
         writer.end();
       }
     } else if (!res.headersSent) {
-      res.status(500).json({
+      // Surface any provider-side stderr/error events the writer collected
+      // BEFORE the throw — without this, callers only see the bland
+      // "Gemini CLI exited with code 403" wrapper and lose the actual
+      // "PERMISSION_DENIED, model not enabled for this account" detail
+      // that the CLI printed to stderr.
+      let collectedError = null;
+      let collectedMessages = [];
+      if (writer && typeof writer.getAssistantMessages === 'function') {
+        try {
+          collectedMessages = writer.getAssistantMessages();
+          const errEntry = collectedMessages.find((m) => m.type === 'error');
+          if (errEntry) collectedError = errEntry.content;
+        } catch { /* ignore — fall back to error.message */ }
+      }
+      res.status(502).json({
         success: false,
-        error: error.message
+        sessionId: writer && typeof writer.getSessionId === 'function' ? writer.getSessionId() : null,
+        error: collectedError || error.message,
+        wrapperError: collectedError ? error.message : undefined,
+        messages: collectedMessages,
       });
     }
   }

package/server/routes/projects.js

@@ -18,7 +18,18 @@ export const WORKSPACES_BASE = path.resolve(
   process.env.WORKSPACES_BASE || path.join(WORKSPACES_ROOT, 'pixcode', 'projects')
 );
 
-// System-critical paths that should never be used as workspace directories
+// System-critical paths that should never be used as workspace directories.
+// `/root` is conditional — included only when the server is NOT running as
+// root. On a typical VPS deployment (`sudo` install, root-owned daemon)
+// `/root` IS the user's home directory, blocking projects under it locks
+// users out of their own filesystem. The carve-out below was meant to
+// handle this but only allowed paths under WORKSPACES_BASE — users with
+// `/root/foo` from before Pixcode existed couldn't open them.
+const RUNNING_AS_ROOT =
+  process.platform !== 'win32' &&
+  typeof process.getuid === 'function' &&
+  process.getuid() === 0;
+
 export const FORBIDDEN_PATHS = [
   // Unix
   '/',
@@ -31,7 +42,7 @@ export const FORBIDDEN_PATHS = [
   '/sys',
   '/var',
   '/boot',
-  '/root',
+  ...(RUNNING_AS_ROOT ? [] : ['/root']),
   '/lib',
   '/lib64',
   '/opt',
@@ -413,15 +424,18 @@ router.post('/quick-start', async (req, res) => {
  */
 router.post('/create-workspace', async (req, res) => {
   try {
-    const { workspaceType, path: workspacePath, githubUrl, githubTokenId, newGithubToken } = req.body;
+    const { workspaceType, path: workspacePath, githubUrl, githubTokenId, newGithubToken, subfolderName } = req.body;
 
     // Validate required fields
     if (!workspaceType || !workspacePath) {
       return res.status(400).json({ error: 'workspaceType and path are required' });
     }
 
-    if (!['existing', 'new'].includes(workspaceType)) {
-      return res.status(400).json({ error: 'workspaceType must be "existing" or "new"' });
+    // 'existing' = open the picked folder as-is
+    // 'new'      = clone a github repo into the picked folder (legacy name kept for client compat)
+    // 'subfolder'= create a fresh subfolder INSIDE the picked folder and open that
+    if (!['existing', 'new', 'subfolder'].includes(workspaceType)) {
+      return res.status(400).json({ error: 'workspaceType must be "existing", "new", or "subfolder"' });
     }
 
     // Validate path safety before any operations
@@ -452,13 +466,127 @@ router.post('/create-workspace', async (req, res) => {
         throw error;
       }
 
-      // Add the existing workspace to the project list
-      const project = await addProjectManually(absolutePath);
+      // Add the existing workspace to the project list. If the user picks
+      // a folder Pixcode has already registered (very common when bouncing
+      // between sessions or re-opening the wizard on the same project),
+      // `addProjectManually` throws "Project already configured…" — that
+      // used to surface as a hard error in the UI even though the right
+      // outcome is "great, let's just open it." Treat that one specific
+      // throw as a soft re-open and return a 200 with `alreadyExisted: true`
+      // so the wizard can show "Opened existing workspace" instead of the
+      // raw error message.
+      let project;
+      let alreadyExisted = false;
+      try {
+        project = await addProjectManually(absolutePath);
+      } catch (error) {
+        const msg = error?.message || '';
+        if (!/already configured/i.test(msg)) throw error;
+        alreadyExisted = true;
+        project = {
+          name: absolutePath.replace(/[\\/:]/g, '-').replace(/\./g, '-'),
+          path: absolutePath,
+          fullPath: absolutePath,
+          displayName: path.basename(absolutePath),
+          isManuallyAdded: true,
+          sessions: [],
+          cursorSessions: [],
+        };
+      }
 
       return res.json({
         success: true,
         project,
-        message: 'Existing workspace added successfully'
+        alreadyExisted,
+        message: alreadyExisted
+          ? 'Workspace was already registered — opening it'
+          : 'Existing workspace added successfully'
+      });
+    }
+
+    // Handle subfolder creation: user picked a parent dir, we mkdir
+    // <parent>/<subfolderName> and open that.
+    if (workspaceType === 'subfolder') {
+      const trimmedName = typeof subfolderName === 'string' ? subfolderName.trim() : '';
+      if (!trimmedName) {
+        return res.status(400).json({ error: 'subfolderName is required when workspaceType is "subfolder"' });
+      }
+      // Reject path-traversal / nested separators / reserved names. The
+      // wizard's UI will only ever send a flat folder name; anything else
+      // is either a bug or someone fishing.
+      if (/[\\/]/.test(trimmedName) || trimmedName === '.' || trimmedName === '..') {
+        return res.status(400).json({ error: 'subfolderName must be a single folder name (no path separators)' });
+      }
+
+      // Verify parent dir exists (we don't auto-create the picked parent —
+      // user already pointed at a real folder).
+      try {
+        const stats = await fs.stat(absolutePath);
+        if (!stats.isDirectory()) {
+          return res.status(400).json({ error: 'Parent path is not a directory' });
+        }
+      } catch (error) {
+        if (error.code === 'ENOENT') {
+          return res.status(404).json({ error: 'Parent directory does not exist' });
+        }
+        throw error;
+      }
+
+      const childPath = path.join(absolutePath, trimmedName);
+
+      // Validate the resulting path too — don't let "subfolder=foo/../../etc"
+      // bypass the parent-only check above. validateWorkspacePath already
+      // rejects symlink escapes and FORBIDDEN_PATHS.
+      const childValidation = await validateWorkspacePath(childPath);
+      if (!childValidation.valid) {
+        return res.status(400).json({
+          error: 'Invalid subfolder path',
+          details: childValidation.error,
+        });
+      }
+      const childAbsolute = childValidation.resolvedPath;
+
+      // Refuse to clobber an existing folder with content — user can pick
+      // "existing" instead. Empty/missing → mkdir.
+      try {
+        const childEntries = await fs.readdir(childAbsolute);
+        if (childEntries.length > 0) {
+          return res.status(409).json({
+            error: 'Subfolder already exists and is not empty',
+            details: `Pick a different name or open "${childAbsolute}" as an existing workspace.`,
+          });
+        }
+      } catch (error) {
+        if (error.code !== 'ENOENT') throw error;
+      }
+      await fs.mkdir(childAbsolute, { recursive: true });
+
+      let subProject;
+      let subAlreadyExisted = false;
+      try {
+        subProject = await addProjectManually(childAbsolute);
+      } catch (error) {
+        const msg = error?.message || '';
+        if (!/already configured/i.test(msg)) throw error;
+        subAlreadyExisted = true;
+        subProject = {
+          name: childAbsolute.replace(/[\\/:]/g, '-').replace(/\./g, '-'),
+          path: childAbsolute,
+          fullPath: childAbsolute,
+          displayName: trimmedName,
+          isManuallyAdded: true,
+          sessions: [],
+          cursorSessions: [],
+        };
+      }
+
+      return res.json({
+        success: true,
+        project: subProject,
+        alreadyExisted: subAlreadyExisted,
+        message: subAlreadyExisted
+          ? 'Subfolder was already registered — opening it'
+          : 'Subfolder created successfully',
       });
     }