@pixelbyte-software/pixcode 1.35.0 → 1.35.2

package/server/modules/orchestration/a2a/agent-card.ts

@@ -1,55 +1,55 @@
-// server/modules/orchestration/a2a/agent-card.ts
-// Pixcode advertises itself as one A2A agent at /a2a/.well-known/agent-card.json.
-// Per-CLI adapters publish their own cards under /a2a/agents/:id/agent-card.
-
-import { readFileSync } from 'node:fs';
-import { dirname, resolve } from 'node:path';
-import { fileURLToPath } from 'node:url';
-
-import { adapterRegistry } from '@/modules/orchestration/a2a/adapter-registry.js';
-import type { AgentCard } from '@/modules/orchestration/a2a/types.js';
-
-// Resolve <repo-root>/package.json from this file's location.
-// Source layout:    server/modules/orchestration/a2a/agent-card.ts        (4 levels deep from repo root)
-// Built layout:     dist-server/server/modules/orchestration/a2a/agent-card.js  (5 levels deep)
-// Walk up until a package.json containing "name":"@pixelbyte-software/pixcode" is found.
-function readPixcodeVersion(): string {
-  let dir = dirname(fileURLToPath(import.meta.url));
-  for (let i = 0; i < 8; i++) {
-    try {
-      const candidate = resolve(dir, 'package.json');
-      const raw = readFileSync(candidate, 'utf8');
-      const pkg = JSON.parse(raw) as { name?: string; version?: string };
-      if (pkg.name === '@pixelbyte-software/pixcode' && typeof pkg.version === 'string') {
-        return pkg.version;
-      }
-    } catch {
-      // not here, walk up
-    }
-    const parent = dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return '0.0.0-dev';
-}
-
-const VERSION: string = readPixcodeVersion();
-
-export function buildPixcodeAgentCard(baseUrl: string): AgentCard {
-  const skills = adapterRegistry
-    .agentCards()
-    .flatMap((card) => card.skills)
-    .filter((skill, idx, arr) => arr.findIndex((s) => s.id === skill.id) === idx);
-
-  return {
-    name: 'pixcode',
-    description:
-      'Pixcode multi-CLI orchestration platform. Routes A2A tasks to ' +
-      'Claude Code, Codex, Cursor, Gemini, Qwen, or OpenCode adapters.',
-    url: `${baseUrl.replace(/\/$/, '')}/a2a`,
-    version: VERSION,
-    capabilities: ['streaming', 'taskRouting'],
-    skills,
-    authentication: { type: 'bearer' },
-  };
-}
+// server/modules/orchestration/a2a/agent-card.ts
+// Pixcode advertises itself as one A2A agent at /a2a/.well-known/agent-card.json.
+// Per-CLI adapters publish their own cards under /a2a/agents/:id/agent-card.
+
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { adapterRegistry } from '@/modules/orchestration/a2a/adapter-registry.js';
+import type { AgentCard } from '@/modules/orchestration/a2a/types.js';
+
+// Resolve <repo-root>/package.json from this file's location.
+// Source layout:    server/modules/orchestration/a2a/agent-card.ts        (4 levels deep from repo root)
+// Built layout:     dist-server/server/modules/orchestration/a2a/agent-card.js  (5 levels deep)
+// Walk up until a package.json containing "name":"@pixelbyte-software/pixcode" is found.
+function readPixcodeVersion(): string {
+  let dir = dirname(fileURLToPath(import.meta.url));
+  for (let i = 0; i < 8; i++) {
+    try {
+      const candidate = resolve(dir, 'package.json');
+      const raw = readFileSync(candidate, 'utf8');
+      const pkg = JSON.parse(raw) as { name?: string; version?: string };
+      if (pkg.name === '@pixelbyte-software/pixcode' && typeof pkg.version === 'string') {
+        return pkg.version;
+      }
+    } catch {
+      // not here, walk up
+    }
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return '0.0.0-dev';
+}
+
+const VERSION: string = readPixcodeVersion();
+
+export function buildPixcodeAgentCard(baseUrl: string): AgentCard {
+  const skills = adapterRegistry
+    .agentCards()
+    .flatMap((card) => card.skills)
+    .filter((skill, idx, arr) => arr.findIndex((s) => s.id === skill.id) === idx);
+
+  return {
+    name: 'pixcode',
+    description:
+      'Pixcode multi-CLI orchestration platform. Routes A2A tasks to ' +
+      'Claude Code, Codex, Cursor, Gemini, Qwen, or OpenCode adapters.',
+    url: `${baseUrl.replace(/\/$/, '')}/a2a`,
+    version: VERSION,
+    capabilities: ['streaming', 'taskRouting'],
+    skills,
+    authentication: { type: 'bearer' },
+  };
+}

package/server/modules/orchestration/a2a/auth.middleware.ts

@@ -1,29 +1,29 @@
-// server/modules/orchestration/a2a/auth.middleware.ts
-// Localhost callers bypass auth; everyone else needs a Bearer JWT
-// validated by pixcode's existing auth stack.
-
-import type { NextFunction, Request, Response } from 'express';
-
-// @ts-ignore — plain-JS module without type declarations
-// eslint-disable-next-line boundaries/no-unknown -- server/middleware/auth.js is a top-level auth runtime not yet classified by eslint.config.js; cleanup deferred.
-import { authenticateToken } from '@/middleware/auth.js';
-
-const LOCAL_HOSTS = new Set(['127.0.0.1', '::1', 'localhost', '::ffff:127.0.0.1']);
-
-function isLocalRequest(req: Request): boolean {
-  const remote = req.socket.remoteAddress ?? '';
-  if (LOCAL_HOSTS.has(remote)) return true;
-  // Trust the X-Forwarded-For header only when the inbound socket is local
-  // (i.e. the reverse proxy itself is on the same host).
-  return false;
-}
-
-export function a2aAuth(req: Request, res: Response, next: NextFunction): void {
-  if (isLocalRequest(req)) {
-    next();
-    return;
-  }
-  // Delegate to existing pixcode JWT middleware. authenticateToken
-  // populates req.user on success and 401s on failure.
-  authenticateToken(req, res, next);
-}
+// server/modules/orchestration/a2a/auth.middleware.ts
+// Localhost callers bypass auth; everyone else needs a Bearer JWT
+// validated by pixcode's existing auth stack.
+
+import type { NextFunction, Request, Response } from 'express';
+
+// @ts-ignore — plain-JS module without type declarations
+// eslint-disable-next-line boundaries/no-unknown -- server/middleware/auth.js is a top-level auth runtime not yet classified by eslint.config.js; cleanup deferred.
+import { authenticateToken } from '@/middleware/auth.js';
+
+const LOCAL_HOSTS = new Set(['127.0.0.1', '::1', 'localhost', '::ffff:127.0.0.1']);
+
+function isLocalRequest(req: Request): boolean {
+  const remote = req.socket.remoteAddress ?? '';
+  if (LOCAL_HOSTS.has(remote)) return true;
+  // Trust the X-Forwarded-For header only when the inbound socket is local
+  // (i.e. the reverse proxy itself is on the same host).
+  return false;
+}
+
+export function a2aAuth(req: Request, res: Response, next: NextFunction): void {
+  if (isLocalRequest(req)) {
+    next();
+    return;
+  }
+  // Delegate to existing pixcode JWT middleware. authenticateToken
+  // populates req.user on success and 401s on failure.
+  authenticateToken(req, res, next);
+}

package/server/modules/orchestration/a2a/bus.ts

@@ -1,46 +1,46 @@
-// server/modules/orchestration/a2a/bus.ts
-// In-process pub/sub on top of Node's EventEmitter.
-// Subscribers receive every event for a given taskId; an
-// "all" subscriber receives every event regardless of task.
-// Note: the literal taskId "__all__" is reserved for the broadcast
-// channel; callers must not use it as a real taskId.
-
-import { EventEmitter } from 'node:events';
-
-import type { BusEvent } from '@/modules/orchestration/a2a/types.js';
-
-type Listener = (event: BusEvent) => void;
-
-const ALL = '__all__';
-
-class A2ABus {
-  private readonly emitter = new EventEmitter();
-
-  constructor() {
-    this.emitter.setMaxListeners(0); // SSE clients can be numerous
-  }
-
-  /** Synchronous: listeners run before publish() returns. */
-  publish(event: BusEvent): void {
-    this.emitter.emit(event.taskId, event);
-    this.emitter.emit(ALL, event);
-  }
-
-  /** Subscribe to events for a specific taskId. Returns an unsubscribe
-   *  function — caller MUST invoke it to release the listener; the bus
-   *  retains a strong reference until then. */
-  subscribe(taskId: string, listener: Listener): () => void {
-    this.emitter.on(taskId, listener);
-    return () => this.emitter.off(taskId, listener);
-  }
-
-  /** Subscribe to ALL events. Returns an unsubscribe function with the
-   *  same release semantics as subscribe(). */
-  subscribeAll(listener: Listener): () => void {
-    this.emitter.on(ALL, listener);
-    return () => this.emitter.off(ALL, listener);
-  }
-}
-
-export const a2aBus = new A2ABus();
-export type { A2ABus };
+// server/modules/orchestration/a2a/bus.ts
+// In-process pub/sub on top of Node's EventEmitter.
+// Subscribers receive every event for a given taskId; an
+// "all" subscriber receives every event regardless of task.
+// Note: the literal taskId "__all__" is reserved for the broadcast
+// channel; callers must not use it as a real taskId.
+
+import { EventEmitter } from 'node:events';
+
+import type { BusEvent } from '@/modules/orchestration/a2a/types.js';
+
+type Listener = (event: BusEvent) => void;
+
+const ALL = '__all__';
+
+class A2ABus {
+  private readonly emitter = new EventEmitter();
+
+  constructor() {
+    this.emitter.setMaxListeners(0); // SSE clients can be numerous
+  }
+
+  /** Synchronous: listeners run before publish() returns. */
+  publish(event: BusEvent): void {
+    this.emitter.emit(event.taskId, event);
+    this.emitter.emit(ALL, event);
+  }
+
+  /** Subscribe to events for a specific taskId. Returns an unsubscribe
+   *  function — caller MUST invoke it to release the listener; the bus
+   *  retains a strong reference until then. */
+  subscribe(taskId: string, listener: Listener): () => void {
+    this.emitter.on(taskId, listener);
+    return () => this.emitter.off(taskId, listener);
+  }
+
+  /** Subscribe to ALL events. Returns an unsubscribe function with the
+   *  same release semantics as subscribe(). */
+  subscribeAll(listener: Listener): () => void {
+    this.emitter.on(ALL, listener);
+    return () => this.emitter.off(ALL, listener);
+  }
+}
+
+export const a2aBus = new A2ABus();
+export type { A2ABus };

package/server/modules/orchestration/preview/preview-proxy.ts

@@ -11,7 +11,8 @@ function buildTargetUrl(port: number, path: string): string {
 
 function proxyHandler(): RequestHandler {
   return async (req, res) => {
-    const rawPort = Array.isArray(req.params.port) ? req.params.port[0] : req.params.port;
+    const portParam = req.params.port ?? req.params[0];
+    const rawPort = Array.isArray(portParam) ? portParam[0] : portParam;
     const port = Number.parseInt(rawPort, 10);
     if (!Number.isFinite(port) || port <= 0 || !getKnownPreviewPort(port)) {
       res.status(404).json({
@@ -54,7 +55,6 @@ function proxyHandler(): RequestHandler {
 
 export function createPreviewProxyRouter(): Router {
   const router = express.Router();
-  router.use('/:port', proxyHandler());
-  router.use('/:port/*', proxyHandler());
+  router.use(/^\/(\d+)(?:\/.*)?$/, proxyHandler());
   return router;
 }

package/server/modules/providers/list/opencode/opencode-auth.provider.ts

@@ -1,130 +1,130 @@
-import { readFile } from 'node:fs/promises';
-import os from 'node:os';
-import path from 'node:path';
-
-import spawn from 'cross-spawn';
-
-import type { IProviderAuth } from '@/shared/interfaces.js';
-import type { ProviderAuthStatus } from '@/shared/types.js';
-import { readObjectRecord, readOptionalString } from '@/shared/utils.js';
-// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-// @ts-ignore — plain-JS module, typed via inference
-import { getProviderCredentials } from '@/services/provider-credentials.js';
-
-type OpencodeCredentialsStatus = {
-  authenticated: boolean;
-  email: string | null;
-  method: string | null;
-  error?: string;
-};
-
-/**
- * OpenCode auth checker.
- *
- * OpenCode stores credentials at `~/.local/share/opencode/auth.json` (XDG
- * data dir — different layout from the other providers which use
- * `~/.<name>/`). The file is a JSON map of `providerName → { type, ... }`
- * where type is `api` (API key), `oauth` (OAuth tokens), or similar.
- *
- * Windows layout (as of the 2026 release): `%LOCALAPPDATA%\opencode\auth.json`.
- *
- * Since OpenCode is multi-provider (OpenAI, Anthropic, Google, Ollama,
- * OpenCode Zen), "authenticated" here means "at least ONE provider in
- * auth.json has credentials" — we don't care which.
- */
-export class OpencodeProviderAuth implements IProviderAuth {
-  private checkInstalled(): boolean {
-    const cliPath = process.env.OPENCODE_CLI_PATH || 'opencode';
-    try {
-      const result = spawn.sync(cliPath, ['--version'], { stdio: 'ignore', timeout: 5000 });
-      return !result.error && result.status === 0;
-    } catch {
-      return false;
-    }
-  }
-
-  async getStatus(): Promise<ProviderAuthStatus> {
-    const installed = this.checkInstalled();
-
-    if (!installed) {
-      return {
-        installed,
-        provider: 'opencode',
-        authenticated: false,
-        email: null,
-        method: null,
-        error: 'OpenCode CLI is not installed',
-      };
-    }
-
-    const credentials = await this.checkCredentials();
-
-    return {
-      installed,
-      provider: 'opencode',
-      authenticated: credentials.authenticated,
-      email: credentials.email,
-      method: credentials.method,
-      error: credentials.authenticated ? undefined : credentials.error || 'Not authenticated',
-    };
-  }
-
-  private async checkCredentials(): Promise<OpencodeCredentialsStatus> {
-    // Pixcode-managed credentials come first — if the user stored an API
-    // key via Settings > Agents > API Key, trust that regardless of
-    // env vars or auth.json.
-    try {
-      const creds = await getProviderCredentials('opencode');
-      if (creds?.apiKey) {
-        return { authenticated: true, email: 'API Key Auth', method: 'pixcode_store' };
-      }
-    } catch { /* fall through */ }
-
-    // Env-var shortcut — any of the multi-provider keys OpenCode recognises.
-    const envKeys = ['ANTHROPIC_API_KEY', 'OPENAI_API_KEY', 'GOOGLE_API_KEY', 'OPENROUTER_API_KEY'];
-    for (const k of envKeys) {
-      if (process.env[k]?.trim()) {
-        return { authenticated: true, email: `${k.replace('_API_KEY', '')} env`, method: 'api_key' };
-      }
-    }
-
-    // auth.json — written by `opencode auth login`. On Windows the XDG
-    // data dir typically resolves to `%LOCALAPPDATA%\opencode`, but since
-    // Node's `os.homedir()` + `.local/share/opencode` covers the Linux
-    // default and most WSL cases, we check both paths.
-    const candidatePaths = [
-      path.join(os.homedir(), '.local', 'share', 'opencode', 'auth.json'),
-      path.join(os.homedir(), 'AppData', 'Local', 'opencode', 'auth.json'),
-    ];
-
-    for (const credsPath of candidatePaths) {
-      try {
-        const content = await readFile(credsPath, 'utf8');
-        const creds = readObjectRecord(JSON.parse(content)) ?? {};
-        const providerNames = Object.keys(creds);
-        if (providerNames.length > 0) {
-          // Prefer a real provider label over a generic one when we can
-          // identify it.
-          const firstProvider = providerNames[0];
-          const firstConfig = readObjectRecord(creds[firstProvider]) ?? {};
-          const authType = readOptionalString(firstConfig.type) ?? 'stored';
-          const label = providerNames.length === 1
-            ? `${firstProvider} (${authType})`
-            : `${providerNames.length} providers configured`;
-          return {
-            authenticated: true,
-            email: label,
-            method: authType === 'oauth' ? 'credentials_file' : 'api_key',
-          };
-        }
-      } catch { /* try next path */ }
-    }
-
-    return {
-      authenticated: false,
-      email: null,
-      method: null,
-      error: 'OpenCode is not configured — run `opencode auth login`.',
-    };
-  }
-}
+import { readFile } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+
+import spawn from 'cross-spawn';
+
+import type { IProviderAuth } from '@/shared/interfaces.js';
+import type { ProviderAuthStatus } from '@/shared/types.js';
+import { readObjectRecord, readOptionalString } from '@/shared/utils.js';
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore — plain-JS module, typed via inference
+import { getProviderCredentials } from '@/services/provider-credentials.js';
+
+type OpencodeCredentialsStatus = {
+  authenticated: boolean;
+  email: string | null;
+  method: string | null;
+  error?: string;
+};
+
+/**
+ * OpenCode auth checker.
+ *
+ * OpenCode stores credentials at `~/.local/share/opencode/auth.json` (XDG
+ * data dir — different layout from the other providers which use
+ * `~/.<name>/`). The file is a JSON map of `providerName → { type, ... }`
+ * where type is `api` (API key), `oauth` (OAuth tokens), or similar.
+ *
+ * Windows layout (as of the 2026 release): `%LOCALAPPDATA%\opencode\auth.json`.
+ *
+ * Since OpenCode is multi-provider (OpenAI, Anthropic, Google, Ollama,
+ * OpenCode Zen), "authenticated" here means "at least ONE provider in
+ * auth.json has credentials" — we don't care which.
+ */
+export class OpencodeProviderAuth implements IProviderAuth {
+  private checkInstalled(): boolean {
+    const cliPath = process.env.OPENCODE_CLI_PATH || 'opencode';
+    try {
+      const result = spawn.sync(cliPath, ['--version'], { stdio: 'ignore', timeout: 5000 });
+      return !result.error && result.status === 0;
+    } catch {
+      return false;
+    }
+  }
+
+  async getStatus(): Promise<ProviderAuthStatus> {
+    const installed = this.checkInstalled();
+
+    if (!installed) {
+      return {
+        installed,
+        provider: 'opencode',
+        authenticated: false,
+        email: null,
+        method: null,
+        error: 'OpenCode CLI is not installed',
+      };
+    }
+
+    const credentials = await this.checkCredentials();
+
+    return {
+      installed,
+      provider: 'opencode',
+      authenticated: credentials.authenticated,
+      email: credentials.email,
+      method: credentials.method,
+      error: credentials.authenticated ? undefined : credentials.error || 'Not authenticated',
+    };
+  }
+
+  private async checkCredentials(): Promise<OpencodeCredentialsStatus> {
+    // Pixcode-managed credentials come first — if the user stored an API
+    // key via Settings > Agents > API Key, trust that regardless of
+    // env vars or auth.json.
+    try {
+      const creds = await getProviderCredentials('opencode');
+      if (creds?.apiKey) {
+        return { authenticated: true, email: 'API Key Auth', method: 'pixcode_store' };
+      }
+    } catch { /* fall through */ }
+
+    // Env-var shortcut — any of the multi-provider keys OpenCode recognises.
+    const envKeys = ['ANTHROPIC_API_KEY', 'OPENAI_API_KEY', 'GOOGLE_API_KEY', 'OPENROUTER_API_KEY'];
+    for (const k of envKeys) {
+      if (process.env[k]?.trim()) {
+        return { authenticated: true, email: `${k.replace('_API_KEY', '')} env`, method: 'api_key' };
+      }
+    }
+
+    // auth.json — written by `opencode auth login`. On Windows the XDG
+    // data dir typically resolves to `%LOCALAPPDATA%\opencode`, but since
+    // Node's `os.homedir()` + `.local/share/opencode` covers the Linux
+    // default and most WSL cases, we check both paths.
+    const candidatePaths = [
+      path.join(os.homedir(), '.local', 'share', 'opencode', 'auth.json'),
+      path.join(os.homedir(), 'AppData', 'Local', 'opencode', 'auth.json'),
+    ];
+
+    for (const credsPath of candidatePaths) {
+      try {
+        const content = await readFile(credsPath, 'utf8');
+        const creds = readObjectRecord(JSON.parse(content)) ?? {};
+        const providerNames = Object.keys(creds);
+        if (providerNames.length > 0) {
+          // Prefer a real provider label over a generic one when we can
+          // identify it.
+          const firstProvider = providerNames[0];
+          const firstConfig = readObjectRecord(creds[firstProvider]) ?? {};
+          const authType = readOptionalString(firstConfig.type) ?? 'stored';
+          const label = providerNames.length === 1
+            ? `${firstProvider} (${authType})`
+            : `${providerNames.length} providers configured`;
+          return {
+            authenticated: true,
+            email: label,
+            method: authType === 'oauth' ? 'credentials_file' : 'api_key',
+          };
+        }
+      } catch { /* try next path */ }
+    }
+
+    return {
+      authenticated: false,
+      email: null,
+      method: null,
+      error: 'OpenCode is not configured — run `opencode auth login`.',
+    };
+  }
+}