codexmate 0.0.23 → 0.0.25

package/cli/import-skills-url.js

@@ -0,0 +1,356 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const http = require('http');
+const https = require('https');
+const { isValidHttpUrl } = require('../lib/cli-utils');
+const { MAX_SKILLS_ZIP_UPLOAD_SIZE, importSkillsFromZipFile } = require('./skills');
+
+function decodeUrlPathPart(part) {
+    try {
+        return decodeURIComponent(part);
+    } catch (_) {
+        return part;
+    }
+}
+
+function parseGithubRepoFromUrl(inputUrl) {
+    const raw = typeof inputUrl === 'string' ? inputUrl.trim() : '';
+    if (!raw) return null;
+    let parsed;
+    try {
+        parsed = new URL(raw);
+    } catch (_) {
+        return null;
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        return null;
+    }
+    if (parsed.hostname !== 'github.com') {
+        return null;
+    }
+    const parts = parsed.pathname.split('/').filter(Boolean).map(decodeUrlPathPart);
+    if (parts.length < 2) return null;
+    const owner = parts[0];
+    const repoPart = parts[1] || '';
+    const repo = repoPart.endsWith('.git') ? repoPart.slice(0, -4) : repoPart;
+    if (!owner || !repo) return null;
+    const ref = parts[2] === 'tree' && parts[3]
+        ? parts.slice(3).join('/')
+        : '';
+    return { owner, repo, ref };
+}
+
+function buildGithubArchiveZipBase(repoInfo) {
+    if (!repoInfo || !repoInfo.owner || !repoInfo.repo) return '';
+    return `https://github.com/${encodeURIComponent(repoInfo.owner)}/${encodeURIComponent(repoInfo.repo)}/archive/refs`;
+}
+
+function encodeGithubRefPath(ref) {
+    return String(ref || '')
+        .split('/')
+        .map(part => encodeURIComponent(part))
+        .join('/');
+}
+
+function resolveGithubArchiveZipUrl(inputUrl) {
+    const repoInfo = parseGithubRepoFromUrl(inputUrl);
+    if (!repoInfo) return '';
+    const base = buildGithubArchiveZipBase(repoInfo);
+    const ref = repoInfo.ref || 'main';
+    return `${base}/heads/${encodeGithubRefPath(ref)}.zip`;
+}
+
+function buildGithubArchiveZipCandidates(inputUrl) {
+    const repoInfo = parseGithubRepoFromUrl(inputUrl);
+    if (!repoInfo) return [];
+    const base = buildGithubArchiveZipBase(repoInfo);
+    if (repoInfo.ref) {
+        const ref = encodeGithubRefPath(repoInfo.ref);
+        return [
+            `${base}/heads/${ref}.zip`,
+            `${base}/tags/${ref}.zip`
+        ];
+    }
+    return [
+        `${base}/heads/main.zip`,
+        `${base}/heads/master.zip`
+    ];
+}
+
+function redactUrlForLog(inputUrl) {
+    const raw = typeof inputUrl === 'string' ? inputUrl.trim() : '';
+    if (!raw) return '';
+    try {
+        const parsed = new URL(raw);
+        return `${parsed.origin}${parsed.pathname}`;
+    } catch (_) {
+        return raw;
+    }
+}
+
+function extractHttpStatusFromError(err) {
+    const message = err && err.message ? String(err.message) : '';
+    const matched = message.match(/\bHTTP\s+(\d{3})\b/);
+    if (!matched) return 0;
+    const value = Number(matched[1]);
+    return Number.isFinite(value) ? value : 0;
+}
+
+function isAllowedSkillsRedirectHost(originHost, nextHost) {
+    const origin = typeof originHost === 'string' ? originHost.trim().toLowerCase() : '';
+    const next = typeof nextHost === 'string' ? nextHost.trim().toLowerCase() : '';
+    if (!origin || !next) return false;
+    if (origin === next) return true;
+    if (process.env.CODEXMATE_ALLOW_SKILLS_REDIRECT === '1') return true;
+    if (origin === 'github.com' && next === 'codeload.github.com') return true;
+    if (origin === 'github.com' && next.endsWith('.githubusercontent.com')) return true;
+    return false;
+}
+
+function downloadUrlToFile(targetUrl, filePath, options = {}) {
+    const maxBytes = Number.isFinite(options.maxBytes) && options.maxBytes > 0
+        ? Math.floor(options.maxBytes)
+        : MAX_SKILLS_ZIP_UPLOAD_SIZE;
+    const timeoutMs = Number.isFinite(options.timeoutMs) && options.timeoutMs > 0
+        ? Math.floor(options.timeoutMs)
+        : 30000;
+    const maxRedirects = Number.isFinite(options.maxRedirects) && options.maxRedirects >= 0
+        ? Math.floor(options.maxRedirects)
+        : 5;
+
+    return new Promise((resolve, reject) => {
+        let parsed;
+        try {
+            parsed = new URL(targetUrl);
+        } catch (_) {
+            reject(new Error('Invalid URL'));
+            return;
+        }
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+            reject(new Error(`ERR_INVALID_PROTOCOL: Protocol "${parsed.protocol}" not supported. Expected "http:" or "https:"`));
+            return;
+        }
+
+        const transport = parsed.protocol === 'https:' ? https : http;
+        const requestOptions = {
+            method: 'GET',
+            headers: {
+                'User-Agent': 'codexmate-import-skills',
+                'Accept': 'application/octet-stream,application/zip,*/*'
+            }
+        };
+
+        const req = transport.request(parsed, requestOptions, (res) => {
+            const status = Number(res.statusCode) || 0;
+            const redirectLocation = res.headers && typeof res.headers.location === 'string' ? res.headers.location : '';
+            if (status >= 300 && status < 400 && redirectLocation) {
+                if (maxRedirects <= 0) {
+                    reject(new Error('Too many redirects'));
+                    return;
+                }
+                const nextUrl = redirectLocation.startsWith('http')
+                    ? redirectLocation
+                    : `${parsed.origin}${redirectLocation}`;
+                let originHost = typeof options.originHost === 'string' && options.originHost.trim()
+                    ? options.originHost.trim()
+                    : parsed.host;
+                try {
+                    const nextParsed = new URL(nextUrl);
+                    if (!isAllowedSkillsRedirectHost(originHost, nextParsed.host)) {
+                        res.resume();
+                        reject(new Error('Cross-origin redirect is not allowed'));
+                        return;
+                    }
+                } catch (_) {}
+                res.resume();
+                downloadUrlToFile(nextUrl, filePath, { maxBytes, timeoutMs, maxRedirects: maxRedirects - 1, originHost })
+                    .then(resolve)
+                    .catch(reject);
+                return;
+            }
+            if (status < 200 || status >= 300) {
+                res.resume();
+                reject(new Error(`HTTP ${status}`));
+                return;
+            }
+
+            const out = fs.createWriteStream(filePath, { flags: 'w' });
+            let bytes = 0;
+            let finished = false;
+
+            const fail = (err) => {
+                if (finished) return;
+                finished = true;
+                try {
+                    out.close();
+                } catch (_) {}
+                try {
+                    fs.unlinkSync(filePath);
+                } catch (_) {}
+                reject(err);
+            };
+
+            res.on('data', (chunk) => {
+                if (!chunk || finished) return;
+                bytes += chunk.length;
+                if (bytes > maxBytes) {
+                    req.destroy(new Error('download too large'));
+                    res.destroy(new Error('download too large'));
+                    fail(new Error('Download too large'));
+                }
+            });
+
+            res.on('error', fail);
+            out.on('error', fail);
+            out.on('finish', () => {
+                if (finished) return;
+                finished = true;
+                resolve({ bytes });
+            });
+
+            res.pipe(out);
+        });
+
+        req.on('error', (err) => {
+            reject(new Error(err && err.message ? err.message : 'request failed'));
+        });
+        req.setTimeout(timeoutMs, () => {
+            req.destroy(new Error('timeout'));
+        });
+        req.end();
+    });
+}
+
+function printImportSkillsUsage() {
+    process.stdout.write('\n用法:\n');
+    process.stdout.write('  codexmate import-skills <URL> [--target-app codex|claude] [--name <NAME>] [--timeout-ms <MS>]\n');
+    process.stdout.write('\n示例:\n');
+    process.stdout.write('  codexmate import-skills https://github.com/<owner>/<repo>\n');
+    process.stdout.write('  codexmate import-skills https://github.com/<owner>/<repo>/tree/dev\n');
+    process.stdout.write('  codexmate import-skills https://github.com/<owner>/<repo>/archive/refs/heads/main.zip\n');
+}
+
+function parseImportSkillsCommandArgs(argv = []) {
+    const options = {
+        url: '',
+        targetApp: 'codex',
+        name: '',
+        timeoutMs: 30000,
+        help: false
+    };
+    let cursor = 0;
+    while (cursor < argv.length) {
+        const token = String(argv[cursor] || '');
+        if (token === '--help' || token === '-h') {
+            options.help = true;
+            cursor += 1;
+            continue;
+        }
+        if (token && !token.startsWith('-') && !options.url) {
+            options.url = token.trim();
+            cursor += 1;
+            continue;
+        }
+        if (token === '--target-app') {
+            const value = String(argv[cursor + 1] || '').trim().toLowerCase();
+            if (!value || value.startsWith('-')) {
+                throw new Error('错误: --target-app 需要一个值（codex/claude）');
+            }
+            options.targetApp = value === 'claude' ? 'claude' : 'codex';
+            cursor += 2;
+            continue;
+        }
+        if (token === '--name') {
+            const value = String(argv[cursor + 1] || '').trim();
+            if (!value || value.startsWith('-')) {
+                throw new Error('错误: --name 需要一个值');
+            }
+            options.name = value;
+            cursor += 2;
+            continue;
+        }
+        if (token === '--timeout-ms') {
+            const value = Number(argv[cursor + 1]);
+            if (!Number.isFinite(value) || value <= 0) {
+                throw new Error('错误: --timeout-ms 需要一个正整数');
+            }
+            options.timeoutMs = Math.floor(value);
+            cursor += 2;
+            continue;
+        }
+        if (token.startsWith('-')) {
+            throw new Error(`错误: 未知参数: ${token}`);
+        }
+        throw new Error(`错误: 多余参数: ${token}`);
+    }
+    return options;
+}
+
+async function cmdImportSkills(argv = []) {
+    const options = parseImportSkillsCommandArgs(argv);
+    if (options.help) {
+        printImportSkillsUsage();
+        return;
+    }
+    if (!options.url) {
+        printImportSkillsUsage();
+        throw new Error('错误: 缺少 URL（例如: https://github.com/<owner>/<repo>/archive/refs/heads/main.zip）');
+    }
+    const candidates = buildGithubArchiveZipCandidates(options.url);
+    if (!candidates.length) {
+        const resolvedGithubUrl = resolveGithubArchiveZipUrl(options.url);
+        candidates.push(resolvedGithubUrl || options.url);
+    }
+    const uniqueCandidates = Array.from(new Set(candidates.filter(Boolean)));
+    if (!uniqueCandidates.length || !uniqueCandidates.every(isValidHttpUrl)) {
+        throw new Error('错误: URL 非法（仅支持 http/https）');
+    }
+
+    const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'codexmate-skills-url-'));
+    const zipPath = path.join(tempDir, 'skills.zip');
+    let finalUrl = uniqueCandidates[0];
+    try {
+        let lastError = null;
+        for (const candidateUrl of uniqueCandidates) {
+            finalUrl = candidateUrl;
+            console.log(`\n[Skills] Download: ${redactUrlForLog(candidateUrl)}`);
+            try {
+                await downloadUrlToFile(candidateUrl, zipPath, {
+                    maxBytes: MAX_SKILLS_ZIP_UPLOAD_SIZE,
+                    timeoutMs: options.timeoutMs,
+                    maxRedirects: 5
+                });
+                lastError = null;
+                break;
+            } catch (e) {
+                lastError = e;
+                if (extractHttpStatusFromError(e) === 404) {
+                    continue;
+                }
+                throw e;
+            }
+        }
+        if (lastError) {
+            throw lastError;
+        }
+        const fallbackName = options.name || path.basename(new URL(finalUrl).pathname) || 'skills.zip';
+        const result = await importSkillsFromZipFile(zipPath, {
+            tempDir,
+            targetApp: options.targetApp,
+            fallbackName
+        });
+        process.stdout.write(JSON.stringify(result, null, 2) + '\n');
+    } finally {
+        try {
+            fs.rmSync(tempDir, { recursive: true, force: true });
+        } catch (_) {}
+    }
+}
+
+module.exports = {
+    parseGithubRepoFromUrl,
+    resolveGithubArchiveZipUrl,
+    buildGithubArchiveZipCandidates,
+    cmdImportSkills
+};

package/cli/openai-bridge.js

@@ -238,6 +238,10 @@ function normalizeResponsesInputToChatMessages(input) {
                 out.push({ type: 'text', text: block.text });
                 continue;
             }
+            if ((type === 'reasoning' || type === 'reasoning_text' || type === 'reasoning_content') && typeof block.text === 'string') {
+                out.push({ type: 'text', text: block.text });
+                continue;
+            }
             if (type === 'input_image') {
                 const raw = block.image_url != null ? block.image_url : block.imageUrl;
                 const url = typeof raw === 'string'
@@ -255,7 +259,21 @@ function normalizeResponsesInputToChatMessages(input) {
             }
             if (type === 'image_url' && block.image_url) {
                 out.push({ type: 'image_url', image_url: block.image_url });
+                continue;
+            }
+            const text = typeof block.text === 'string'
+                ? block.text
+                : (typeof block.content === 'string' ? block.content : '');
+            if (text) {
+                out.push({ type: 'text', text });
+                continue;
             }
+            try {
+                const raw = JSON.stringify(block);
+                if (raw) {
+                    out.push({ type: 'text', text: raw.slice(0, 4000) });
+                }
+            } catch (_) {}
         }
         if (out.length === 0) return '';
         return out;
@@ -635,6 +653,9 @@ async function proxyRequestJson(targetUrl, options = {}) {
     const parsed = new URL(targetUrl);
     const transport = parsed.protocol === 'https:' ? https : http;
     const bodyText = options.body ? JSON.stringify(options.body) : '';
+    const maxBytes = Number.isFinite(options.maxBytes) && options.maxBytes > 0
+        ? Math.floor(options.maxBytes)
+        : 0;
     const headers = {
         'Accept': 'application/json',
         ...(options.body ? { 'Content-Type': 'application/json' } : {}),
@@ -664,7 +685,21 @@ async function proxyRequestJson(targetUrl, options = {}) {
             agent: parsed.protocol === 'https:' ? options.httpsAgent : options.httpAgent
         }, (upstreamRes) => {
             const chunks = [];
-            upstreamRes.on('data', (chunk) => chunk && chunks.push(chunk));
+            let size = 0;
+            upstreamRes.on('data', (chunk) => {
+                if (!chunk) return;
+                if (maxBytes > 0) {
+                    size += chunk.length;
+                    if (size > maxBytes) {
+                        chunks.length = 0;
+                        try { upstreamRes.destroy(new Error('response too large')); } catch (_) {}
+                        try { req.destroy(new Error('response too large')); } catch (_) {}
+                        finish({ ok: false, error: 'response too large' });
+                        return;
+                    }
+                }
+                chunks.push(chunk);
+            });
             upstreamRes.on('end', () => {
                 const text = chunks.length ? Buffer.concat(chunks).toString('utf-8') : '';
                 finish({
@@ -689,12 +724,16 @@ async function proxyRequestJson(targetUrl, options = {}) {
 
 function createOpenaiBridgeHttpHandler(options = {}) {
     const settingsFile = options.settingsFile;
-    const expectedToken = typeof options.expectedToken === 'string' && options.expectedToken.trim()
-        ? options.expectedToken.trim()
-        : DEFAULT_BRIDGE_TOKEN;
+    const expectedTokenRaw = typeof options.expectedToken === 'string' ? options.expectedToken.trim() : '';
+    const expectedToken = Object.prototype.hasOwnProperty.call(options, 'expectedToken')
+        ? expectedTokenRaw
+        : (expectedTokenRaw || DEFAULT_BRIDGE_TOKEN);
     const maxBodySize = Number.isFinite(options.maxBodySize) ? options.maxBodySize : 0;
     const httpAgent = options.httpAgent;
     const httpsAgent = options.httpsAgent;
+    const maxUpstreamBytes = Number.isFinite(options.maxUpstreamBytes) && options.maxUpstreamBytes > 0
+        ? Math.floor(options.maxUpstreamBytes)
+        : Math.max(16 * 1024 * 1024, maxBodySize > 0 ? maxBodySize * 4 : 0);
 
     if (!settingsFile) {
         throw new Error('createOpenaiBridgeHttpHandler 缺少 settingsFile');
@@ -730,6 +769,11 @@ function createOpenaiBridgeHttpHandler(options = {}) {
             // 为避免在 LAN 暴露无鉴权的代理，这里仅允许 loopback 连接缺省 token。
             const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
             const isLoopback = isLoopbackAddress(remoteAddr);
+            if (!isLoopback && !expectedToken) {
+                res.writeHead(403, { 'Content-Type': 'application/json; charset=utf-8' });
+                res.end(JSON.stringify({ error: 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)' }));
+                return;
+            }
             if (!token && !isLoopback) {
                 res.writeHead(401, { 'Content-Type': 'application/json; charset=utf-8' });
                 res.end(JSON.stringify({ error: 'Unauthorized' }));
@@ -774,6 +818,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                         ...(authHeader ? { Authorization: authHeader } : {}),
                         ...upstreamHeaders
                     },
+                    maxBytes: maxUpstreamBytes,
                     httpAgent,
                     httpsAgent
                 });
@@ -827,6 +872,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                     ...(authHeader ? { Authorization: authHeader } : {}),
                     ...upstreamHeaders
                 },
+                maxBytes: maxUpstreamBytes,
                 httpAgent,
                 httpsAgent
             });
@@ -887,6 +933,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                     ...(authHeader ? { Authorization: authHeader } : {}),
                     ...upstreamHeaders
                 },
+                maxBytes: maxUpstreamBytes,
                 httpAgent,
                 httpsAgent
             });

package/cli/session-usage.js

@@ -7,11 +7,13 @@ async function listSessionUsageCore(params = {}, deps = {}) {
         listSessionBrowse,
         parseCodexSessionSummary,
         parseClaudeSessionSummary,
+        parseCodeBuddySessionSummary,
+        parseGeminiSessionSummary,
         MAX_SESSION_USAGE_LIST_SIZE,
         SESSION_BROWSE_SUMMARY_READ_BYTES
     } = deps;
 
-    const source = params.source === 'codex' || params.source === 'claude'
+    const source = params.source === 'codex' || params.source === 'claude' || params.source === 'gemini' || params.source === 'codebuddy'
         ? params.source
         : 'all';
     const rawLimit = Number(params.limit);
@@ -81,7 +83,11 @@ async function listSessionUsageCore(params = {}, deps = {}) {
             try {
                 summary = normalized.source === 'claude'
                     ? parseClaudeSessionSummary(filePath, summaryOptions)
-                    : parseCodexSessionSummary(filePath, summaryOptions);
+                    : (normalized.source === 'gemini'
+                        ? parseGeminiSessionSummary(filePath, summaryOptions)
+                        : (normalized.source === 'codebuddy'
+                            ? parseCodeBuddySessionSummary(filePath, summaryOptions)
+                            : parseCodexSessionSummary(filePath, summaryOptions)));
             } catch (_) {
                 summary = null;
             }