@pixelbyte-software/pixcode 1.37.0 → 1.38.1

package/server/database/db.js

@@ -379,17 +379,28 @@ const userDb = {
 const apiKeysDb = {
     generateApiKey: () => 'px_' + crypto.randomBytes(32).toString('hex'),
 
-    createApiKey: (userId, keyName) => {
+    normalizeScopes: (scopes) => {
+        if (!Array.isArray(scopes)) return [];
+        return Array.from(new Set(scopes
+            .filter((scope) => typeof scope === 'string')
+            .map((scope) => scope.trim())
+            .filter(Boolean)
+        )).sort();
+    },
+
+    createApiKey: (userId, keyName, scopes = []) => {
         const apiKey = apiKeysDb.generateApiKey();
+        const normalizedScopes = apiKeysDb.normalizeScopes(scopes);
         const row = store.insert('api_keys', {
             user_id: userId,
             key_name: keyName,
             api_key: apiKey,
+            scopes: normalizedScopes,
             created_at: nowIso(),
             last_used: null,
             is_active: true,
         });
-        return { id: row.id, keyName, apiKey };
+        return { id: row.id, keyName, apiKey, scopes: normalizedScopes };
     },
 
     getApiKeys: (userId) => {
@@ -402,6 +413,7 @@ const apiKeysDb = {
                 id: r.id,
                 key_name: r.key_name,
                 api_key: r.api_key,
+                scopes: apiKeysDb.normalizeScopes(r.scopes),
                 created_at: r.created_at,
                 last_used: r.last_used,
                 is_active: r.is_active ? 1 : 0,
@@ -420,6 +432,7 @@ const apiKeysDb = {
             id: user.id,
             username: user.username,
             api_key_id: key.id,
+            api_key_scopes: apiKeysDb.normalizeScopes(key.scopes),
         };
     },
 
@@ -428,6 +441,11 @@ const apiKeysDb = {
 
     toggleApiKey: (userId, apiKeyId, isActive) =>
         store.updateWhere('api_keys', (r) => r.id === apiKeyId && r.user_id === userId, { is_active: Boolean(isActive) }) > 0,
+
+    updateApiKeyScopes: (userId, apiKeyId, scopes = []) =>
+        store.updateWhere('api_keys', (r) => r.id === apiKeyId && r.user_id === userId, {
+            scopes: apiKeysDb.normalizeScopes(scopes),
+        }) > 0,
 };
 
 // ---------------------------------------------------------------------------
@@ -691,7 +709,7 @@ function normalizeTelegramControlState(value = {}) {
     const selectedProvider = ['claude', 'cursor', 'codex', 'gemini', 'qwen', 'opencode'].includes(raw.selectedProvider)
         ? raw.selectedProvider
         : DEFAULT_TELEGRAM_CONTROL_STATE.selectedProvider;
-    const progressMode = ['final', 'steps', 'all'].includes(raw.progressMode)
+    const progressMode = ['final', 'steps', 'all', 'errors'].includes(raw.progressMode)
         ? raw.progressMode
         : DEFAULT_TELEGRAM_CONTROL_STATE.progressMode;
 

package/server/index.js

@@ -75,6 +75,9 @@ import geminiRoutes from './routes/gemini.js';
 import qwenRoutes from './routes/qwen.js';
 import pluginsRoutes from './routes/plugins.js';
 import messagesRoutes from './routes/messages.js';
+import diagnosticsRoutes from './routes/diagnostics.js';
+import remoteRoutes from './routes/remote.js';
+import publicApiRoutes from './routes/public-api.js';
 import providerRoutes from './modules/providers/provider.routes.js';
 import {
   createA2ARouter,
@@ -320,6 +323,8 @@ const wss = new WebSocketServer({
 
 // Make WebSocket server available to routes
 app.locals.wss = wss;
+app.locals.installMode = installMode;
+app.locals.serverVersion = SERVER_VERSION;
 setNotificationWebSocketServer(wss);
 
 app.use(cors({ exposedHeaders: ['X-Refreshed-Token'] }));
@@ -391,6 +396,15 @@ app.use('/api/plugins', authenticateToken, pluginsRoutes);
 // Unified session messages route (protected)
 app.use('/api/sessions', authenticateToken, messagesRoutes);
 
+// Diagnostics API Routes (protected)
+app.use('/api/diagnostics', authenticateToken, diagnosticsRoutes);
+
+// Remote connection API Routes (protected)
+app.use('/api/remote', authenticateToken, remoteRoutes);
+
+// Public automation manifest (protected so private host details only go to signed-in clients)
+app.use('/api/public', authenticateToken, publicApiRoutes);
+
 // Unified provider MCP routes (protected)
 app.use('/api/providers', authenticateToken, providerRoutes);
 

package/server/modules/providers/provider.routes.ts

@@ -670,6 +670,102 @@ const resolveConfigFile = (provider: string, fileId: string): { descriptor: Prov
   return { descriptor, absolutePath };
 };
 
+const SENSITIVE_CONFIG_PATTERN = /(api[_-]?key|token|secret|password|authorization|bearer)\s*[:=]\s*["']?([^"'\n\r]+)/ig;
+
+function redactProviderConfigPreview(contents: string): string {
+  return contents.replace(SENSITIVE_CONFIG_PATTERN, (_match, key) => `${key}: [redacted]`);
+}
+
+async function validateProviderConfigContents(descriptor: ProviderConfigFile, contents: string) {
+  if (Buffer.byteLength(contents, 'utf8') > MAX_CONFIG_FILE_SIZE_BYTES) {
+    throw new AppError(
+      `Config contents exceed ${MAX_CONFIG_FILE_SIZE_BYTES} bytes`,
+      { code: 'PROVIDER_CONFIG_TOO_LARGE', statusCode: 413 },
+    );
+  }
+
+  if (descriptor.format === 'json') {
+    try {
+      JSON.parse(contents || '{}');
+    } catch (err) {
+      throw new AppError(`Invalid JSON: ${(err as Error).message}`, {
+        code: 'PROVIDER_CONFIG_INVALID_JSON',
+        statusCode: 400,
+      });
+    }
+  }
+
+  return {
+    valid: true,
+    format: descriptor.format,
+    readonly: Boolean(descriptor.readonly),
+    preview: redactProviderConfigPreview(contents).slice(0, 4000),
+  };
+}
+
+async function buildProviderPluginState(provider: string) {
+  const files = PROVIDER_CONFIG_FILES[provider] || [];
+  const configs = await Promise.all(files.map(async (entry) => {
+    const absolutePath = path.resolve(os.homedir(), entry.relativePath);
+    let exists = false;
+    let size: number | null = null;
+    let updatedAt: string | null = null;
+    let preview = '';
+    try {
+      const stat = await fs.stat(absolutePath);
+      exists = stat.isFile();
+      size = stat.size;
+      updatedAt = stat.mtime.toISOString();
+      if (exists && stat.size <= MAX_CONFIG_FILE_SIZE_BYTES) {
+        preview = redactProviderConfigPreview(await fs.readFile(absolutePath, 'utf8')).slice(0, 1200);
+      }
+    } catch {
+      // Missing config files are normal for CLIs that have not been used yet.
+    }
+
+    return {
+      id: entry.id,
+      label: entry.label,
+      format: entry.format,
+      readonly: Boolean(entry.readonly),
+      relativePath: entry.relativePath,
+      absolutePath,
+      exists,
+      size,
+      updatedAt,
+      preview,
+      canBackup: exists,
+      canValidate: entry.format === 'json' || entry.format === 'env' || entry.format === 'toml' || entry.format === 'text',
+    };
+  }));
+
+  return {
+    provider,
+    supported: files.length > 0,
+    configCount: files.length,
+    installedCount: configs.filter((config) => config.exists).length,
+    configs,
+  };
+}
+
+router.get(
+  '/plugin-state',
+  asyncHandler(async (_req: Request, res: Response) => {
+    const providers = await Promise.all(
+      Object.keys(PROVIDER_CONFIG_FILES).map((provider) => buildProviderPluginState(provider)),
+    );
+    res.json(createApiSuccessResponse({ providers }));
+  }),
+);
+
+router.get(
+  '/plugin-state/:provider',
+  asyncHandler(async (req: Request, res: Response) => {
+    const provider = parseProvider(req.params.provider);
+    res.json(createApiSuccessResponse(await buildProviderPluginState(provider)));
+  }),
+);
+
 router.get(
   '/:provider/config-files',
   asyncHandler(async (req: Request, res: Response) => {
@@ -826,4 +922,42 @@ router.put(
   }),
 );
 
+router.post(
+  '/:provider/config-files/:fileId/validate',
+  asyncHandler(async (req: Request, res: Response) => {
+    const provider = String(req.params.provider);
+    const fileId = String(req.params.fileId);
+    const { descriptor, absolutePath } = resolveConfigFile(provider, fileId);
+    const contents = typeof req.body?.contents === 'string'
+      ? req.body.contents
+      : await fs.readFile(absolutePath, 'utf8').catch(() => '');
+    res.json(createApiSuccessResponse(await validateProviderConfigContents(descriptor, contents)));
+  }),
+);
+
+router.post(
+  '/:provider/config-files/:fileId/backup',
+  asyncHandler(async (req: Request, res: Response) => {
+    const provider = String(req.params.provider);
+    const fileId = String(req.params.fileId);
+    const { absolutePath } = resolveConfigFile(provider, fileId);
+    const stat = await fs.stat(absolutePath);
+    if (!stat.isFile()) {
+      throw new AppError(`${absolutePath} is not a regular file`, {
+        code: 'PROVIDER_CONFIG_NOT_FILE',
+        statusCode: 409,
+      });
+    }
+    const backupPath = `${absolutePath}.pixcode-backup-${Date.now()}`;
+    await fs.copyFile(absolutePath, backupPath);
+    res.json(createApiSuccessResponse({
+      provider,
+      fileId,
+      absolutePath,
+      backupPath,
+      size: stat.size,
+    }));
+  }),
+);
+
 export default router;

package/server/routes/auth.js

@@ -7,6 +7,10 @@ import bcrypt from 'bcryptjs';
 
 import { userDb, db } from '../database/db.js';
 import { generateToken, authenticateToken } from '../middleware/auth.js';
+import {
+  getPublicRemoteConnectionConfig,
+  saveRemoteConnectionConfig,
+} from '../services/remote-connection.js';
 
 const router = express.Router();
 
@@ -24,6 +28,21 @@ router.get('/status', async (req, res) => {
   }
 });
 
+// First-run connection mode is intentionally public: it is needed before
+// account creation so a fresh desktop install can decide whether it controls
+// this machine or a remote Pixcode server.
+router.get('/connection-mode', (req, res) => {
+  res.json({ success: true, connection: getPublicRemoteConnectionConfig() });
+});
+
+router.put('/connection-mode', (req, res) => {
+  try {
+    res.json({ success: true, connection: saveRemoteConnectionConfig(req.body || {}) });
+  } catch (error) {
+    res.status(400).json({ success: false, error: error.message });
+  }
+});
+
 // User registration (setup) - only allowed if no users exist
 router.post('/register', async (req, res) => {
   try {
@@ -137,4 +156,4 @@ router.post('/logout', authenticateToken, (req, res) => {
   res.json({ success: true, message: 'Logged out successfully' });
 });
 
-export default router;
+export default router;

package/server/routes/diagnostics.js

@@ -0,0 +1,41 @@
+import express from 'express';
+
+import { collectDiagnostics } from '../services/diagnostics.js';
+
+const router = express.Router();
+
+function buildDiagnostics(req) {
+  return collectDiagnostics({
+    installMode: req.app.locals.installMode,
+    serverVersion: req.app.locals.serverVersion,
+    wss: req.app.locals.wss,
+    activeRuns: req.app.locals.activeRuns || [],
+    recentErrors: req.app.locals.recentErrors || [],
+    providerHealth: req.app.locals.providerHealth || {},
+    cache: req.app.locals.diagnosticsCache || {},
+  });
+}
+
+router.get('/', (req, res) => {
+  res.json(buildDiagnostics(req));
+});
+
+router.post('/refresh', (req, res) => {
+  req.app.locals.diagnosticsCache = {
+    ...(req.app.locals.diagnosticsCache || {}),
+    diagnosticsUpdatedAt: new Date().toISOString(),
+    manualRefresh: true,
+  };
+  res.json(buildDiagnostics(req));
+});
+
+router.get('/bundle', (req, res) => {
+  const diagnostics = buildDiagnostics(req);
+  res.json({
+    generatedAt: diagnostics.timestamp,
+    copyable: true,
+    diagnostics,
+  });
+});
+
+export default router;

package/server/routes/public-api.js

@@ -0,0 +1,21 @@
+import express from 'express';
+
+import { buildOpenApiFragment, buildPublicApiManifest } from '../services/public-api-manifest.js';
+
+const router = express.Router();
+
+function requestBaseUrl(req) {
+  const proto = req.headers['x-forwarded-proto'] || req.protocol;
+  const host = req.headers['x-forwarded-host'] || req.headers.host;
+  return host ? `${proto}://${host}` : '';
+}
+
+router.get('/manifest', (req, res) => {
+  res.json(buildPublicApiManifest({ baseUrl: requestBaseUrl(req) }));
+});
+
+router.get('/openapi', (req, res) => {
+  res.json(buildOpenApiFragment({ baseUrl: requestBaseUrl(req) }));
+});
+
+export default router;

package/server/routes/remote.js

@@ -0,0 +1,33 @@
+import express from 'express';
+
+import {
+  checkRemoteConnection,
+  getPublicRemoteConnectionConfig,
+  saveRemoteConnectionConfig,
+} from '../services/remote-connection.js';
+
+const router = express.Router();
+
+router.get('/config', (req, res) => {
+  res.json({ success: true, connection: getPublicRemoteConnectionConfig() });
+});
+
+router.put('/config', (req, res) => {
+  try {
+    const connection = saveRemoteConnectionConfig(req.body || {});
+    res.json({ success: true, connection });
+  } catch (error) {
+    res.status(400).json({ success: false, error: error.message });
+  }
+});
+
+router.post('/check', async (req, res) => {
+  try {
+    const health = await checkRemoteConnection(req.body && Object.keys(req.body).length ? req.body : undefined);
+    res.json({ success: true, health, connection: getPublicRemoteConnectionConfig() });
+  } catch (error) {
+    res.status(400).json({ success: false, error: error.message });
+  }
+});
+
+export default router;

package/server/routes/settings.js

@@ -29,13 +29,13 @@ router.get('/api-keys', async (req, res) => {
 // Create a new API key
 router.post('/api-keys', async (req, res) => {
   try {
-    const { keyName } = req.body;
+    const { keyName, scopes } = req.body;
 
     if (!keyName || !keyName.trim()) {
       return res.status(400).json({ error: 'Key name is required' });
     }
 
-    const result = apiKeysDb.createApiKey(req.user.id, keyName.trim());
+    const result = apiKeysDb.createApiKey(req.user.id, keyName.trim(), scopes);
     res.json({
       success: true,
       apiKey: result
@@ -86,6 +86,29 @@ router.patch('/api-keys/:keyId/toggle', async (req, res) => {
   }
 });
 
+// Update API key scopes
+router.patch('/api-keys/:keyId/scopes', async (req, res) => {
+  try {
+    const { keyId } = req.params;
+    const { scopes } = req.body;
+
+    if (!Array.isArray(scopes)) {
+      return res.status(400).json({ error: 'scopes must be an array' });
+    }
+
+    const success = apiKeysDb.updateApiKeyScopes(req.user.id, parseInt(keyId), scopes);
+
+    if (success) {
+      res.json({ success: true });
+    } else {
+      res.status(404).json({ error: 'API key not found' });
+    }
+  } catch (error) {
+    console.error('Error updating API key scopes:', error);
+    res.status(500).json({ error: 'Failed to update API key scopes' });
+  }
+});
+
 // ===============================
 // Generic Credentials Management
 // ===============================

package/server/routes/taskmaster.js

@@ -161,6 +161,29 @@ function taskMasterExecutionDescription(task) {
     ].filter(Boolean).join('\n\n');
 }
 
+function buildTaskMasterQueueSummary(projectName, projectPath, tasks) {
+    const normalized = tasks.map((task) => ({
+        ...task,
+        queueState: ['done', 'completed', 'cancelled', 'canceled'].includes(String(task.status || '').toLowerCase())
+            ? 'finished'
+            : String(task.status || 'pending') === 'in-progress'
+                ? 'running'
+                : 'queued',
+    }));
+    return {
+        projectName,
+        projectPath,
+        queue: normalized,
+        totals: {
+            all: normalized.length,
+            queued: normalized.filter((task) => task.queueState === 'queued').length,
+            running: normalized.filter((task) => task.queueState === 'running').length,
+            finished: normalized.filter((task) => task.queueState === 'finished').length,
+        },
+        timestamp: new Date().toISOString(),
+    };
+}
+
 // API Routes
 
 /**
@@ -362,6 +385,66 @@ router.get('/tasks/:projectName', async (req, res) => {
     }
 });
 
+/**
+ * GET /api/taskmaster/queue/:projectName
+ * Stable automation endpoint for remote UI, Telegram, and external clients.
+ */
+router.get('/queue/:projectName', async (req, res) => {
+    try {
+        const { projectName } = req.params;
+        const { projectPath, transformedTasks } = await readTaskMasterTasks(projectName);
+        res.json(buildTaskMasterQueueSummary(projectName, projectPath, transformedTasks));
+    } catch (error) {
+        if (error?.code === 'ENOENT') {
+            return res.json(buildTaskMasterQueueSummary(req.params.projectName, null, []));
+        }
+        console.error('TaskMaster queue loading error:', error);
+        res.status(500).json({
+            error: 'Failed to load TaskMaster queue',
+            message: error.message
+        });
+    }
+});
+
+/**
+ * GET /api/taskmaster/task/:projectName/:taskId
+ * Load a single TaskMaster item with queue metadata.
+ */
+router.get('/task/:projectName/:taskId', async (req, res) => {
+    try {
+        const { projectName, taskId } = req.params;
+        const { projectPath, transformedTasks } = await readTaskMasterTasks(projectName);
+        const task = transformedTasks.find((candidate) => String(candidate.id) === String(taskId));
+        if (!task) {
+            return res.status(404).json({
+                success: false,
+                error: 'TaskMaster task not found',
+                message: `Task "${taskId}" was not found in project "${projectName}"`
+            });
+        }
+        res.json({
+            success: true,
+            projectName,
+            projectPath,
+            task,
+            execution: {
+                supportsProvider: true,
+                supportsModel: true,
+                supportsFallbackProvider: true,
+                supportsPermissionMode: true,
+                supportsWorkerSlot: true,
+            },
+        });
+    } catch (error) {
+        console.error('TaskMaster task detail error:', error);
+        res.status(500).json({
+            success: false,
+            error: 'Failed to load TaskMaster task',
+            message: error.message
+        });
+    }
+});
+
 /**
  * POST /api/taskmaster/execute/:projectName/:taskId
  * Import a TaskMaster task into orchestration and dispatch it to a CLI agent.
@@ -376,6 +459,8 @@ router.post('/execute/:projectName/:taskId', async (req, res) => {
                 : '';
         const model = typeof req.body?.model === 'string' ? req.body.model : undefined;
         const permissionMode = typeof req.body?.permissionMode === 'string' ? req.body.permissionMode : undefined;
+        const fallbackProvider = typeof req.body?.fallbackProvider === 'string' ? req.body.fallbackProvider : undefined;
+        const workerSlot = Number.isInteger(req.body?.workerSlot) ? req.body.workerSlot : undefined;
         const isolation = ['host', 'worktree', 'docker'].includes(req.body?.isolation)
             ? req.body.isolation
             : 'worktree';
@@ -403,7 +488,14 @@ router.post('/execute/:projectName/:taskId', async (req, res) => {
             projectId,
             taskmasterId: String(task.id),
             title: `TaskMaster #${task.id}: ${task.title}`,
-            description: taskMasterExecutionDescription(task)
+            description: taskMasterExecutionDescription(task),
+            metadata: {
+                provider: adapterId,
+                model,
+                permissionMode,
+                fallbackProvider,
+                workerSlot,
+            },
         });
 
         const dispatchedTask = await orchestrationTaskService.dispatch(orchestrationTask.id, {
@@ -411,7 +503,9 @@ router.post('/execute/:projectName/:taskId', async (req, res) => {
             isolation,
             projectPath,
             model,
-            permissionMode
+            permissionMode,
+            fallbackProvider,
+            workerSlot,
         });
 
         res.json({
@@ -419,6 +513,13 @@ router.post('/execute/:projectName/:taskId', async (req, res) => {
             projectName,
             projectPath,
             taskmasterTask: task,
+            execution: {
+                provider: adapterId,
+                model,
+                permissionMode,
+                fallbackProvider,
+                workerSlot,
+            },
             task: dispatchedTask
         });
     } catch (error) {