codexmate 0.0.24 → 0.0.25

package/README.md

@@ -1,6 +1,6 @@
 <div align="center">
 
-<img src="res/logo.png" alt="Codex Mate logo" width="180" />
+<img src="site/.vitepress/public/images/logo.png" alt="Codex Mate logo" width="180" />
 
 # Codex Mate
 
@@ -29,7 +29,7 @@ Codex Mate is a local-first CLI + Web UI for unified management of:
 - Claude Code `CLAUDE.md` editing (writes to `~/.claude/CLAUDE.md`)
 - OpenClaw JSON5 profiles and workspace `AGENTS.md`
 - Local skills market for Codex / Claude Code (target switching, local skills management, cross-app import, ZIP distribution)
-- Local Codex/Claude sessions (list/filter/export/delete) with Usage analytics overview
+- Local Codex/Claude/Gemini CLI/CodeBuddy Code sessions (list/filter/export/delete) with Usage analytics overview
 - Plugins (Prompt templates): reusable templates with variables and one-click copy
 - Task orchestration: plan/queue/run/review local tasks
 
@@ -57,12 +57,18 @@ It works on local files directly and does not require cloud hosting. The skills
 - OpenClaw JSON5 profile management
 
 **Session Management**
-- Unified Codex + Claude session list
+- Unified Codex + Claude + Gemini CLI + CodeBuddy Code session list
+- Session locations (local-first, configurable):
+  - Codex: `~/.codex/sessions/*.jsonl` (or `$CODEX_HOME/sessions`, `$XDG_CONFIG_HOME/codex/sessions`)
+  - Claude: `~/.claude/projects/**/**/*.jsonl` (or `$CLAUDE_HOME/projects`, `$XDG_CONFIG_HOME/claude/projects`)
+  - Gemini: `~/.gemini/tmp/*/chats/*.json` (or `$GEMINI_HOME/tmp`, `$XDG_CONFIG_HOME/gemini/tmp`)
+  - CodeBuddy: `~/.codebuddy/projects/**/**/*.jsonl` (or `$CODEBUDDY_CODE_HOME_DIR/projects`)
 - Local session pinning with persistent pinned state and pinned-first ordering
-- Keyword/source/cwd filters
+- Keyword/source/cwd/role/time filters, plus shareable filter links
+- Copy resume command (Codex/Gemini/CodeBuddy): `codex resume <sessionId>` / `gemini -r <sessionId>` / `codebuddy -r <sessionId>`
 - Fast search UX: short-lived query result caching to avoid rescanning on each keystroke
 - Usage subview with 7d / 30d session trends, message trends, source share, and top paths
-- Markdown export
+- Markdown export (Web UI + `codexmate export-session`, supports `--session-id` or `--file`)
 - Session-level and message-level delete (supports batch), with a local recycle bin for restore/purge
 - Large-session preview optimization (fast tail preview path)
 
@@ -78,10 +84,20 @@ It works on local files directly and does not require cloud hosting. The skills
 
 **Engineering Utilities**
 - MCP stdio domains (`tools`, `resources`, `prompts`)
+- Automation hooks (`/hooks/*`) + outbound webhook notifiers
 - Built-in proxy controls (`proxy`)
 - Auth profile management (`auth`)
 - Zip/unzip utilities
 
+## Automation (signal → action)
+
+When running `codexmate run`, you can accept external webhooks and convert them into queued tasks:
+
+- Webhook entry: `POST /hooks/<source>` (currently `github`, `gitlab`)
+- Rule config: `~/.codex/codexmate-automation.json`
+- Supported action: `task.queue.add` (optionally `startQueue: true`)
+- Notifications: `notifiers[]` supports `type: "webhook"` for Slack/Feishu-style incoming webhooks
+
 ## Architecture
 
 ### At a glance (what it does → what you get)
@@ -166,6 +182,12 @@ npm install -g @mmmbuto/codex-cli-termux@latest
 
 # Claude Code
 npm install -g @anthropic-ai/claude-code
+
+# Gemini CLI
+npm install -g @google/gemini-cli
+
+# CodeBuddy Code
+npm install -g @tencent-ai/codebuddy-code
 ```
 
 ### Run from source
@@ -213,7 +235,7 @@ npm run reset 79
 | `codexmate qwen [args...]` | Qwen CLI passthrough entrypoint |
 | `codexmate run [--host <HOST>] [--no-browser]` | Start Web UI |
 | `codexmate mcp serve [--read-only\|--allow-write]` | Start MCP stdio server |
-| `codexmate export-session --source <codex\|claude> ...` | Export session to Markdown |
+| `codexmate export-session --source <codex\|claude\|gemini\|codebuddy> ...` | Export session to Markdown |
 | `codexmate zip <path> [--max:0-9]` / `codexmate unzip <zip> [out]` | Zip / unzip |
 | `codexmate unzip-ext <zip-dir> [out] [--ext:suffix[,suffix...]] [--no-recursive]` | Extract files with target suffixes from ZIP files in a directory (default `.json`, recursive by default) |
 

package/README.zh.md

@@ -1,6 +1,6 @@
 <div align="center">
 
-<img src="res/logo.png" alt="Codex Mate logo" width="180" />
+<img src="site/.vitepress/public/images/logo.png" alt="Codex Mate logo" width="180" />
 
 # Codex Mate
 
@@ -29,7 +29,7 @@ Codex Mate 提供一套本地优先的 CLI + Web UI，用于统一管理：
 - Claude Code `CLAUDE.md` 编辑（写入 `~/.claude/CLAUDE.md`）
 - OpenClaw JSON5 配置与 Workspace `AGENTS.md`
 - Codex / Claude Code Skills 市场（安装目标切换、本地 skills 管理、跨应用导入、ZIP 分发）
-- Codex / Claude 本地会话浏览、筛选、导出、删除与 Usage 统计概览
+- Codex / Claude / Gemini CLI / CodeBuddy Code 本地会话浏览、筛选、导出、删除与 Usage 统计概览
 - 插件（提示词模板）：模板复用、变量填写、一键复制
 - 任务编排：规划 / 排队 / 执行 / 回看
 
@@ -58,12 +58,18 @@ Codex Mate 提供一套本地优先的 CLI + Web UI，用于统一管理：
 - OpenClaw JSON5 配置方案管理
 
 **会话管理**
-- 同页查看 Codex 与 Claude 会话
+- 同页查看 Codex、Claude、Gemini CLI 与 CodeBuddy Code 会话
+- 会话来源与默认路径（本地优先，可通过环境变量覆盖）：
+  - Codex：`~/.codex/sessions/*.jsonl`（或 `$CODEX_HOME/sessions`、`$XDG_CONFIG_HOME/codex/sessions`）
+  - Claude：`~/.claude/projects/**/**/*.jsonl`（或 `$CLAUDE_HOME/projects`、`$XDG_CONFIG_HOME/claude/projects`）
+  - Gemini：`~/.gemini/tmp/*/chats/*.json`（或 `$GEMINI_HOME/tmp`、`$XDG_CONFIG_HOME/gemini/tmp`）
+  - CodeBuddy：`~/.codebuddy/projects/**/**/*.jsonl`（或 `$CODEBUDDY_CODE_HOME_DIR/projects`）
 - 支持本地会话置顶，置顶状态持久化保存并优先排序显示
-- 关键词搜索、来源筛选、cwd 路径筛选
+- 关键词搜索、来源筛选、cwd/角色/时间筛选，并支持复制筛选链接
+- 复制恢复命令（Codex/Gemini/CodeBuddy）：`codex resume <sessionId>` / `gemini -r <sessionId>` / `codebuddy -r <sessionId>`
 - 搜索体验优化：短周期结果缓存，避免输入时重复扫描
 - Usage 子页：近 7 天 / 近 30 天会话趋势、消息趋势、来源占比、高频路径
-- 会话导出 Markdown
+- 会话导出 Markdown（Web UI + `codexmate export-session`，支持 `--session-id` 或 `--file`）
 - 会话与消息级删除（支持批量），并提供本地回收站用于恢复/彻底删除
 - 大会话预览优化（快速 tail 预览路径）
 
@@ -83,8 +89,18 @@ Codex Mate 提供一套本地优先的 CLI + Web UI，用于统一管理：
 
 **工程能力**
 - MCP stdio 能力（tools/resources/prompts）
+- 自动化钩子（`/hooks/*`）+ 外发 webhook 通知
 - Zip 压缩/解压（优先系统工具，失败回退 JS 库）
 
+## 自动化（信号 → 行动）
+
+运行 `codexmate run` 后，可接收外部 webhook 并转为任务队列：
+
+- 入口：`POST /hooks/<source>`（当前支持 `github`、`gitlab`）
+- 规则：`~/.codex/codexmate-automation.json`
+- 动作：`task.queue.add`（可选 `startQueue: true`）
+- 通知：`notifiers[]` 支持 `type: "webhook"`（适配 Slack/飞书等入站 webhook）
+
 ## 架构总览
 
 ### 一图看懂（从“做什么”到“产生什么效果”）
@@ -156,7 +172,7 @@ codexmate run
 
 > 安全提示：默认监听会在当前局域网暴露未鉴权的管理界面。若包含 API Key、provider 配置或 skills 管理，请仅在可信网络中使用；如需仅本机访问，可设置 `CODEXMATE_HOST=127.0.0.1` 或启动时传入 `--host 127.0.0.1`。
 
-### 安装 Codex CLI / Claude Code（可选）
+### 安装 Codex CLI / Claude Code / Gemini CLI / CodeBuddy Code（可选）
 
 Codex Mate 支持透传调用官方 CLI（例如 `codexmate codex ...`），建议先安装：
 
@@ -169,6 +185,12 @@ npm install -g @mmmbuto/codex-cli-termux@latest
 
 # Claude Code
 npm install -g @anthropic-ai/claude-code
+
+# Gemini CLI
+npm install -g @google/gemini-cli
+
+# CodeBuddy Code
+npm install -g @tencent-ai/codebuddy-code
 ```
 
 ### 从源码运行
@@ -215,7 +237,7 @@ npm run reset 79
 | `codexmate qwen [args...]` | Qwen CLI 透传入口 |
 | `codexmate run [--host <HOST>] [--no-browser]` | 启动 Web UI |
 | `codexmate mcp serve [--read-only\|--allow-write]` | 启动 MCP stdio 服务 |
-| `codexmate export-session --source <codex\|claude> ...` | 导出会话为 Markdown |
+| `codexmate export-session --source <codex\|claude\|gemini\|codebuddy> ...` | 导出会话为 Markdown |
 | `codexmate zip <path> [--max:0-9]` / `codexmate unzip <zip> [out]` | 压缩 / 解压 |
 | `codexmate unzip-ext <zip-dir> [out] [--ext:suffix[,suffix...]] [--no-recursive]` | 批量提取目录下 ZIP 内指定后缀文件（默认 `.json`，默认递归） |
 

package/cli/builtin-proxy.js

@@ -674,6 +674,41 @@ function createBuiltinProxyRuntimeController(deps = {}) {
                 return;
             }
 
+            const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
+            const isLoopback = !remoteAddr
+                || remoteAddr === '127.0.0.1'
+                || remoteAddr === '::1'
+                || remoteAddr === '::ffff:127.0.0.1';
+            if (!isLoopback) {
+                const expected = typeof process.env.CODEXMATE_HTTP_TOKEN === 'string'
+                    ? process.env.CODEXMATE_HTTP_TOKEN.trim()
+                    : '';
+                if (!expected) {
+                    const body = JSON.stringify({ error: 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)' });
+                    res.writeHead(403, {
+                        'Content-Type': 'application/json; charset=utf-8',
+                        'Content-Length': Buffer.byteLength(body, 'utf-8')
+                    });
+                    res.end(body, 'utf-8');
+                    return;
+                }
+                const headers = req && req.headers && typeof req.headers === 'object' ? req.headers : {};
+                const rawAuth = typeof headers.authorization === 'string' ? headers.authorization.trim() : '';
+                const match = rawAuth ? rawAuth.match(/^bearer\s+(.+)$/i) : null;
+                const actual = match && match[1]
+                    ? match[1].trim()
+                    : (rawAuth ? rawAuth : (typeof headers['x-codexmate-token'] === 'string' ? String(headers['x-codexmate-token']).trim() : ''));
+                if (!actual || actual !== expected) {
+                    const body = JSON.stringify({ error: 'Unauthorized' });
+                    res.writeHead(401, {
+                        'Content-Type': 'application/json; charset=utf-8',
+                        'Content-Length': Buffer.byteLength(body, 'utf-8')
+                    });
+                    res.end(body, 'utf-8');
+                    return;
+                }
+            }
+
             const incomingPath = parsedIncoming.pathname || '/';
             if (incomingPath === '/health' || incomingPath === '/status') {
                 const body = JSON.stringify({

package/cli/claude-proxy.js

@@ -864,6 +864,30 @@ function createBuiltinClaudeProxyRuntimeController(deps = {}) {
     function createBuiltinClaudeProxyServer(settings, upstream) {
         const connections = new Set();
         const server = http.createServer((req, res) => {
+            const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
+            const isLoopback = !remoteAddr
+                || remoteAddr === '127.0.0.1'
+                || remoteAddr === '::1'
+                || remoteAddr === '::ffff:127.0.0.1';
+            if (!isLoopback) {
+                const expected = typeof process.env.CODEXMATE_HTTP_TOKEN === 'string'
+                    ? process.env.CODEXMATE_HTTP_TOKEN.trim()
+                    : '';
+                if (!expected) {
+                    writeAnthropicProxyError(res, 403, 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)', 'authentication_error');
+                    return;
+                }
+                const headers = req && req.headers && typeof req.headers === 'object' ? req.headers : {};
+                const rawAuth = typeof headers.authorization === 'string' ? headers.authorization.trim() : '';
+                const match = rawAuth ? rawAuth.match(/^bearer\s+(.+)$/i) : null;
+                const actual = match && match[1]
+                    ? match[1].trim()
+                    : (rawAuth ? rawAuth : (typeof headers['x-codexmate-token'] === 'string' ? String(headers['x-codexmate-token']).trim() : ''));
+                if (!actual || actual !== expected) {
+                    writeAnthropicProxyError(res, 401, 'Unauthorized', 'authentication_error');
+                    return;
+                }
+            }
             handleBuiltinClaudeProxyRequest(req, res, settings, upstream).catch((err) => {
                 if (res.headersSent) {
                     try { res.destroy(err); } catch (_) {}

package/cli/import-skills-url.js

@@ -97,6 +97,17 @@ function extractHttpStatusFromError(err) {
     return Number.isFinite(value) ? value : 0;
 }
 
+function isAllowedSkillsRedirectHost(originHost, nextHost) {
+    const origin = typeof originHost === 'string' ? originHost.trim().toLowerCase() : '';
+    const next = typeof nextHost === 'string' ? nextHost.trim().toLowerCase() : '';
+    if (!origin || !next) return false;
+    if (origin === next) return true;
+    if (process.env.CODEXMATE_ALLOW_SKILLS_REDIRECT === '1') return true;
+    if (origin === 'github.com' && next === 'codeload.github.com') return true;
+    if (origin === 'github.com' && next.endsWith('.githubusercontent.com')) return true;
+    return false;
+}
+
 function downloadUrlToFile(targetUrl, filePath, options = {}) {
     const maxBytes = Number.isFinite(options.maxBytes) && options.maxBytes > 0
         ? Math.floor(options.maxBytes)
@@ -141,8 +152,19 @@ function downloadUrlToFile(targetUrl, filePath, options = {}) {
                 const nextUrl = redirectLocation.startsWith('http')
                     ? redirectLocation
                     : `${parsed.origin}${redirectLocation}`;
+                let originHost = typeof options.originHost === 'string' && options.originHost.trim()
+                    ? options.originHost.trim()
+                    : parsed.host;
+                try {
+                    const nextParsed = new URL(nextUrl);
+                    if (!isAllowedSkillsRedirectHost(originHost, nextParsed.host)) {
+                        res.resume();
+                        reject(new Error('Cross-origin redirect is not allowed'));
+                        return;
+                    }
+                } catch (_) {}
                 res.resume();
-                downloadUrlToFile(nextUrl, filePath, { maxBytes, timeoutMs, maxRedirects: maxRedirects - 1 })
+                downloadUrlToFile(nextUrl, filePath, { maxBytes, timeoutMs, maxRedirects: maxRedirects - 1, originHost })
                     .then(resolve)
                     .catch(reject);
                 return;

package/cli/openai-bridge.js

@@ -238,6 +238,10 @@ function normalizeResponsesInputToChatMessages(input) {
                 out.push({ type: 'text', text: block.text });
                 continue;
             }
+            if ((type === 'reasoning' || type === 'reasoning_text' || type === 'reasoning_content') && typeof block.text === 'string') {
+                out.push({ type: 'text', text: block.text });
+                continue;
+            }
             if (type === 'input_image') {
                 const raw = block.image_url != null ? block.image_url : block.imageUrl;
                 const url = typeof raw === 'string'
@@ -255,7 +259,21 @@ function normalizeResponsesInputToChatMessages(input) {
             }
             if (type === 'image_url' && block.image_url) {
                 out.push({ type: 'image_url', image_url: block.image_url });
+                continue;
+            }
+            const text = typeof block.text === 'string'
+                ? block.text
+                : (typeof block.content === 'string' ? block.content : '');
+            if (text) {
+                out.push({ type: 'text', text });
+                continue;
             }
+            try {
+                const raw = JSON.stringify(block);
+                if (raw) {
+                    out.push({ type: 'text', text: raw.slice(0, 4000) });
+                }
+            } catch (_) {}
         }
         if (out.length === 0) return '';
         return out;
@@ -635,6 +653,9 @@ async function proxyRequestJson(targetUrl, options = {}) {
     const parsed = new URL(targetUrl);
     const transport = parsed.protocol === 'https:' ? https : http;
     const bodyText = options.body ? JSON.stringify(options.body) : '';
+    const maxBytes = Number.isFinite(options.maxBytes) && options.maxBytes > 0
+        ? Math.floor(options.maxBytes)
+        : 0;
     const headers = {
         'Accept': 'application/json',
         ...(options.body ? { 'Content-Type': 'application/json' } : {}),
@@ -664,7 +685,21 @@ async function proxyRequestJson(targetUrl, options = {}) {
             agent: parsed.protocol === 'https:' ? options.httpsAgent : options.httpAgent
         }, (upstreamRes) => {
             const chunks = [];
-            upstreamRes.on('data', (chunk) => chunk && chunks.push(chunk));
+            let size = 0;
+            upstreamRes.on('data', (chunk) => {
+                if (!chunk) return;
+                if (maxBytes > 0) {
+                    size += chunk.length;
+                    if (size > maxBytes) {
+                        chunks.length = 0;
+                        try { upstreamRes.destroy(new Error('response too large')); } catch (_) {}
+                        try { req.destroy(new Error('response too large')); } catch (_) {}
+                        finish({ ok: false, error: 'response too large' });
+                        return;
+                    }
+                }
+                chunks.push(chunk);
+            });
             upstreamRes.on('end', () => {
                 const text = chunks.length ? Buffer.concat(chunks).toString('utf-8') : '';
                 finish({
@@ -689,12 +724,16 @@ async function proxyRequestJson(targetUrl, options = {}) {
 
 function createOpenaiBridgeHttpHandler(options = {}) {
     const settingsFile = options.settingsFile;
-    const expectedToken = typeof options.expectedToken === 'string' && options.expectedToken.trim()
-        ? options.expectedToken.trim()
-        : DEFAULT_BRIDGE_TOKEN;
+    const expectedTokenRaw = typeof options.expectedToken === 'string' ? options.expectedToken.trim() : '';
+    const expectedToken = Object.prototype.hasOwnProperty.call(options, 'expectedToken')
+        ? expectedTokenRaw
+        : (expectedTokenRaw || DEFAULT_BRIDGE_TOKEN);
     const maxBodySize = Number.isFinite(options.maxBodySize) ? options.maxBodySize : 0;
     const httpAgent = options.httpAgent;
     const httpsAgent = options.httpsAgent;
+    const maxUpstreamBytes = Number.isFinite(options.maxUpstreamBytes) && options.maxUpstreamBytes > 0
+        ? Math.floor(options.maxUpstreamBytes)
+        : Math.max(16 * 1024 * 1024, maxBodySize > 0 ? maxBodySize * 4 : 0);
 
     if (!settingsFile) {
         throw new Error('createOpenaiBridgeHttpHandler 缺少 settingsFile');
@@ -730,6 +769,11 @@ function createOpenaiBridgeHttpHandler(options = {}) {
             // 为避免在 LAN 暴露无鉴权的代理，这里仅允许 loopback 连接缺省 token。
             const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
             const isLoopback = isLoopbackAddress(remoteAddr);
+            if (!isLoopback && !expectedToken) {
+                res.writeHead(403, { 'Content-Type': 'application/json; charset=utf-8' });
+                res.end(JSON.stringify({ error: 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)' }));
+                return;
+            }
             if (!token && !isLoopback) {
                 res.writeHead(401, { 'Content-Type': 'application/json; charset=utf-8' });
                 res.end(JSON.stringify({ error: 'Unauthorized' }));
@@ -774,6 +818,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                         ...(authHeader ? { Authorization: authHeader } : {}),
                         ...upstreamHeaders
                     },
+                    maxBytes: maxUpstreamBytes,
                     httpAgent,
                     httpsAgent
                 });
@@ -827,6 +872,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                     ...(authHeader ? { Authorization: authHeader } : {}),
                     ...upstreamHeaders
                 },
+                maxBytes: maxUpstreamBytes,
                 httpAgent,
                 httpsAgent
             });
@@ -887,6 +933,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                     ...(authHeader ? { Authorization: authHeader } : {}),
                     ...upstreamHeaders
                 },
+                maxBytes: maxUpstreamBytes,
                 httpAgent,
                 httpsAgent
             });

package/cli/session-usage.js

@@ -7,11 +7,13 @@ async function listSessionUsageCore(params = {}, deps = {}) {
         listSessionBrowse,
         parseCodexSessionSummary,
         parseClaudeSessionSummary,
+        parseCodeBuddySessionSummary,
+        parseGeminiSessionSummary,
         MAX_SESSION_USAGE_LIST_SIZE,
         SESSION_BROWSE_SUMMARY_READ_BYTES
     } = deps;
 
-    const source = params.source === 'codex' || params.source === 'claude'
+    const source = params.source === 'codex' || params.source === 'claude' || params.source === 'gemini' || params.source === 'codebuddy'
         ? params.source
         : 'all';
     const rawLimit = Number(params.limit);
@@ -81,7 +83,11 @@ async function listSessionUsageCore(params = {}, deps = {}) {
             try {
                 summary = normalized.source === 'claude'
                     ? parseClaudeSessionSummary(filePath, summaryOptions)
-                    : parseCodexSessionSummary(filePath, summaryOptions);
+                    : (normalized.source === 'gemini'
+                        ? parseGeminiSessionSummary(filePath, summaryOptions)
+                        : (normalized.source === 'codebuddy'
+                            ? parseCodeBuddySessionSummary(filePath, summaryOptions)
+                            : parseCodexSessionSummary(filePath, summaryOptions)));
             } catch (_) {
                 summary = null;
             }