free-coding-models 0.3.66 → 0.3.67

package/CHANGELOG.md

@@ -1,15 +1,45 @@
-## [0.3.66] - 2026-05-16
+## [0.3.67] - 2026-05-17
 
 ### Added
-- **ForgeCode Integration**: You can now seamlessly launch and install provider endpoints directly into ForgeCode's TOML config. Use the `--forgecode` flag to run it.
-- **GitHub Copilot CLI Support**: Added direct integration with GitHub Copilot CLI (`--copilot`), dynamically setting `COPILOT_*` environment variables for seamless Bring Your Own Key (BYOK) execution.
-- **Security Audit Report**: Added comprehensive security audit documentation from Jules.
+
+- **🐳 Docker Packaging**: First-class Docker support so you can run FCM without installing Node.js. The official image is published to `ghcr.io/vava-nessa/free-coding-models` on every release and tag push.
+  - Multi-arch friendly `Dockerfile` based on `node:20-alpine`, running as a non-root `fcm` user.
+  - `docker-entrypoint.sh` auto-generates `~/.free-coding-models.json` from any `*_API_KEY` / `*_API_TOKEN` env vars you pass to the container — no manual config step.
+  - `docker-compose.yml` template wired up for every supported provider.
+  - GitHub Actions workflow (`.github/workflows/docker.yml`) handles build + publish to GHCR on `release: published`, `push: v*.*.*` tags, and `workflow_dispatch` (with a `test_mode` dry-run input).
+  - Trivy vulnerability scan blocks releases that introduce any CRITICAL/HIGH CVEs.
+  - Quick start: `docker run -p 19280:19280 -e OPENROUTER_API_KEY=... ghcr.io/vava-nessa/free-coding-models:latest`.
+- **🌐 Combined Daemon + Web Dashboard**: The router daemon now serves the web dashboard from the same port — no more juggling two processes. New REST surface area baked into the daemon:
+  - `GET /api/models` — full model catalog with latency stats, status, p95, jitter, stability, verdict, uptime, and `inRouterSet` flag.
+  - `GET /api/config` — provider catalog with masked API keys (`••••••••XXXX`) and enabled state.
+  - `GET /api/events` — SSE stream the dashboard subscribes to for live updates.
+  - `GET /api/key/<provider>` — reveal the raw API key for a configured provider (same-origin only).
+  - `POST /api/settings` — save API keys and per-provider enabled flags from the dashboard, then trigger a probe burst.
+  - When you add a new provider's API key from the dashboard, FCM now mirrors `--sync-set` behavior and automatically adds that provider's best-tier model to your active router set.
 
 ### Changed
-- **NVIDIA NIM Model Catalog Update**: Removed 11 deprecated models and updated GLM to the new `glm5` to keep the catalog fresh and fully operational.
-- **README Optimization**: Refactored README layout and updated image sizes for a cleaner documentation experience.
-- **Testing Architecture Refactoring**: Replaced `agent-tui` with native `tmux` to streamline visual TUI testing.
+
+- **`--web` flag removed**: replaced by `--daemon`, which now serves both the OpenAI-compatible router API and the dashboard on the same port. Existing tooling using `--web` should switch to `--daemon`.
+- **Preserve user-created router sets on daemon start**: previously the daemon rebuilt the active set from favorites or defaults on every restart, silently overwriting sets created with `--sync-set`. Named sets are now preserved.
+- **Faster config reload**: `CONFIG_RELOAD_INTERVAL_MS` shortened from 60s → 10s so dashboard-driven changes (toggling providers, adding keys) propagate quickly.
+- **Contributors**: welcome [@stgreenb](https://github.com/stgreenb) 🎉 — author of the daemon-web merge and Docker packaging work.
 
 ### Fixed
-- **Repository Maintenance**: Cleaned up obsolete tooling artifacts to maintain a bloat-free codebase.
-- **Dependencies**: Bumped internal UI framework tools (React `19.2.6`, Vite `8.0.13`).
+
+- **🔒 Path traversal in dashboard static file serving (security)**: requests like `GET /../../etc/passwd` could escape `web/dist/` and read arbitrary files reachable by the daemon user. The mitigation (`127.0.0.1` bind) was bypassed inside Docker where the daemon binds `0.0.0.0`. All static paths are now resolved against `WEB_DIST_DIR` and rejected with 403 when they escape.
+- **🔒 Cross-site write / key exfiltration on dashboard endpoints (security)**: `POST /api/settings` (writes API keys) and `GET /api/key/<provider>` (reveals raw keys) previously accepted any request, including those triggered by malicious tabs visiting a page that fetched `http://localhost:19280/...`. Both now enforce a same-origin / loopback `Origin` header check. Header-less CLI callers (curl, native apps) keep working.
+- **🔒 Config file permissions tightened in Docker**: the entrypoint previously created `~/.free-coding-models.json` with mode `0666`. Tightened to `0600` since it stores plaintext API keys.
+- **🐛 `/api/key/:provider` route never matched**: the handler compared `url.pathname === '/api/key/:provider'` literally, so the endpoint was unreachable. Now correctly matches via `startsWith` and 404s unknown providers.
+- **🐛 "Excellent" verdict for fully-down models**: when a model had probe history but every ping failed, `avg` collapsed to `0` and the dashboard showed "Excellent". Verdict now correctly returns `—` whenever no usable latency sample exists.
+- **🐛 `--daemon-bg` mode signalled "down" for everything in dashboard**: the type-mismatch comparison (`===` between string code and number) made every model render as `down`. Codes are now compared as strings.
+- **⚙️ Docker GitHub Actions workflow YAML repaired**: the top-level `env:` block and the GHCR login step were incorrectly indented and would have prevented GitHub from parsing the workflow at all.
+- **⚙️ Docker container lifecycle**: the container no longer outlives a crashed daemon. The entrypoint now runs the daemon in the foreground (`--daemon` instead of `--daemon-bg`) so Docker's restart policy can recover from crashes instead of waiting for the healthcheck to time out.
+
+### Internal
+
+- Removed a dead `createReadStream` import in `router-daemon.js`.
+- Hoisted `routerConfig()` and `getSet()` lookups out of the per-model loop in `getWebModelsPayload()` — saves ~200 redundant runtime calls per dashboard refresh — and uses a `Set` index for in-set membership checks.
+- Renamed a local `window` variable to `probeWindow` to avoid shadowing globals.
+- Removed a nested `router` shadow in `/api/settings`.
+- Added `X-Content-Type-Options: nosniff` header on all static dashboard responses.
+- Added 6 new tests covering path-traversal blocking, cross-origin write rejection, same-origin write success, CLI key fetch, and unknown-provider 404. Total: 371 tests, all green.

package/README.md

@@ -125,6 +125,94 @@ Use ⚡️ Command Palette! with **Ctrl+P**.
   <img src="https://img.shields.io/badge/USE_%E2%9A%A1%EF%B8%8F%20COMMAND%20PALETTE-CTRL%2BP-22c55e?style=for-the-badge" alt="Use ⚡️ Command Palette with Ctrl+P">
 </p>
 
+---
+
+## 🐳 Docker
+
+Run FCM without installing Node.js using the official Docker image:
+
+```bash
+# Quick start (daemon + web UI on port 19280)
+docker run -p 19280:19280 ghcr.io/vava-nessa/free-coding-models:latest
+
+# With an API key
+docker run -p 19280:19280 -e OPENROUTER_API_KEY=your_key ghcr.io/vava-nessa/free-coding-models:latest
+```
+
+Access the web dashboard at `http://localhost:19280/` and configure your coding tool to use `http://localhost:19280/v1` with model `fcm`.
+
+### Available Image Tags
+
+| Tag | Description |
+|-----|-------------|
+| `latest` | Most recent release |
+| `v{major}.{minor}.{patch}` | Specific version (e.g., `v0.3.70`) |
+| `v{major}.{minor}` | Minor version (e.g., `v0.3`) |
+| `v{major}` | Major version (e.g., `v0`) |
+
+### Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `FCM_HOST` | `0.0.0.0` | Host to bind to (set `127.0.0.1` for localhost-only) |
+| `FCM_PORT` | `19280` | Port to listen on |
+| `FREE_CODING_MODELS_TELEMETRY` | `0` | Disable telemetry |
+
+Provider API keys (all optional):
+
+```bash
+docker run -p 19280:19280 \
+  -e NVIDIA_API_KEY=your_key \
+  -e GROQ_API_KEY=your_key \
+  -e OPENROUTER_API_KEY=your_key \
+  ghcr.io/vava-nessa/free-coding-models:latest
+```
+
+### Docker Compose
+
+Create a `docker-compose.yml`:
+
+```yaml
+version: '3.8'
+services:
+  fcm:
+    image: ghcr.io/vava-nessa/free-coding-models:latest
+    container_name: fcm
+    restart: unless-stopped
+    ports:
+      - "19280:19280"
+    environment:
+      FREE_CODING_MODELS_TELEMETRY: "0"
+      FCM_HOST: "0.0.0.0"
+      OPENROUTER_API_KEY: ${OPENROUTER_API_KEY:-}
+    volumes:
+      - fcm-data:/home/fcm
+volumes:
+  fcm-data:
+```
+
+Run with `docker-compose up -d`. API keys can be passed via a `.env` file or environment variables.
+
+### Troubleshooting
+
+**Container won't start:**
+- Check logs: `docker logs fcm`
+- Verify port 19280 is not in use: `docker ps | grep 19280`
+
+**Health check fails:**
+- Wait 30s for initial probe cycle
+- Verify API keys are valid: `docker exec fcm curl http://localhost:19280/health`
+
+**Cannot connect from host:**
+- Ensure `FCM_HOST=0.0.0.0` (default)
+- Check firewall allows localhost connections
+
+**Data persistence:**
+- Config is stored in Docker volume `fcm-data`
+- Recreate the volume with `docker-compose down -v` to reset
+
+---
+
 Need to fix contrast because your terminal theme is fighting the TUI? Press **`G`** at any time to cycle **Auto → Dark → Light**. The switch recolors the full interface live: table, Settings, Help, Smart Recommend, Feedback, and Changelog.
 
 **② Pick a model and launch your tool:**
@@ -148,17 +236,8 @@ If the active CLI tool is missing, FCM now catches it before launch, offers a ti
 ### Common scenarios
 
 ```bash
-# "I want the most reliable model right now"
-free-coding-models --fiable
-
-# "I want to configure Goose with an S-tier model"
-free-coding-models --goose --tier S
-
-# "I want NVIDIA's top models only"
-free-coding-models --origin nvidia --tier S
-
 # "I want the local web dashboard"
-free-coding-models --web
+free-coding-models --daemon
 
 # "I want one local endpoint that fails over between free models"
 free-coding-models --daemon-bg
@@ -174,7 +253,14 @@ free-coding-models --tier S --json | jq -r '.[0].modelId'
 free-coding-models --openclaw --origin groq
 ```
 
-When launching the web dashboard, `free-coding-models` prefers `http://localhost:3333`. If that port is already used by another app, it now auto-picks the next free local port and prints the exact URL to open.
+When launching the daemon (with `--daemon`), the web dashboard and router API are served from the same port. Configure tools with:
+
+| Field | Value |
+|-------|-------|
+| Router Base URL | `http://localhost:19280/v1` |
+| Dashboard URL | `http://localhost:19280/` |
+| Model | `fcm` |
+| API key | `fcm-local` |
 
 ### Smart Model Router
 
@@ -214,9 +300,20 @@ Router endpoints:
 | `GET /v1/models` | Return virtual models (`fcm`, `fcm:set-name`) |
 | `GET /health` | Daemon status JSON |
 | `GET /stats` | Routing, health, request log, and token stats |
-| `GET /stream/events` | Live SSE events for dashboard updates |
+| `GET /stream/events` | Live SSE events for router updates |
 | `POST /daemon/probe-mode` | Set probe mode with `{ "probeMode": "eco" | "balanced" | "aggressive" }` |
 
+**Web Dashboard endpoints** (served from the same port in `--daemon` mode):
+
+| Endpoint | Purpose |
+|----------|---------|
+| `GET /` | Web dashboard HTML |
+| `GET /api/models` | All model data with latency stats |
+| `GET /api/config` | Provider config (keys masked) |
+| `GET /api/events` | Live SSE events for dashboard |
+| `GET /api/key/:provider` | Reveal full API key for provider |
+| `POST /api/settings` | Save API keys and provider toggles |
+
 Routing behavior:
 
 - Priority order works immediately on cold start, then probes refine health scores over time.
@@ -505,6 +602,7 @@ Telemetry is enabled by default and can be disabled with any of the following:
     <td align="center" width="120"><a href="https://github.com/PhucTruong-ctrl"><img src="https://github.com/PhucTruong-ctrl.png?s=80" width="80" height="80" style="border-radius:50%" alt="PhucTruong-ctrl"></a></td>
     <td align="center" width="120"><a href="https://github.com/chindris-mihai-alexandru"><img src="https://avatars.githubusercontent.com/u/12643176?v=4&s=80" width="80" height="80" style="border-radius:50%" alt="chindris-mihai-alexandru"></a></td>
     <td align="center" width="120"><a href="https://github.com/serajbaltu"><img src="https://avatars.githubusercontent.com/u/90699173?v=4&s=80" width="80" height="80" style="border-radius:50%" alt="serajbaltu"></a></td>
+    <td align="center" width="120"><a href="https://github.com/stgreenb"><img src="https://avatars.githubusercontent.com/u/18483964?v=4&s=80" width="80" height="80" style="border-radius:50%" alt="stgreenb"></a></td>
   </tr>
   <tr>
     <td align="center"><a href="https://github.com/vava-nessa"><sub><b>vava-nessa</b></sub></a></td>
@@ -514,6 +612,7 @@ Telemetry is enabled by default and can be disabled with any of the following:
     <td align="center"><a href="https://github.com/PhucTruong-ctrl"><sub><b>PhucTruong-ctrl</b></sub></a></td>
     <td align="center"><a href="https://github.com/chindris-mihai-alexandru"><sub><b>chindris-mihai-alexandru</b></sub></a></td>
     <td align="center"><a href="https://github.com/serajbaltu"><sub><b>serajbaltu</b></sub></a></td>
+    <td align="center"><a href="https://github.com/stgreenb"><sub><b>stgreenb</b></sub></a></td>
   </tr>
 </table>
 

package/bin/free-coding-models.js

@@ -92,15 +92,7 @@ async function main() {
     process.exit(1);
   }
 
-  // 📖 --web mode: launch the web dashboard instead of the TUI
-  if (cliArgs.webMode) {
-    const { startWebServer } = await import('../web/server.js')
-    const port = parseInt(process.env.FCM_PORT || '3333', 10)
-    await startWebServer(port, { open: true })
-    return
-  }
-
-  // 📖 Load JSON config
+  // Load JSON config
   const config = loadConfig();
   ensureTelemetryConfig(config);
   ensureFavoritesConfig(config);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "free-coding-models",
-  "version": "0.3.66",
+  "version": "0.3.67",
   "description": "Find the fastest coding LLM models in seconds — ping free models from multiple providers, pick the best one for OpenCode, Cursor, or any AI coding assistant.",
   "keywords": [
     "nvidia",

package/src/cli-help.js

@@ -36,8 +36,7 @@ const ANALYSIS_FLAGS = [
 ]
 
 const CONFIG_FLAGS = [
-  { flag: '--web', description: 'Launch the web dashboard in your browser' },
-  { flag: '--daemon', description: 'Start the FCM Router daemon in the foreground' },
+  { flag: '--daemon', description: 'Start the FCM Router daemon + web dashboard (same port)' },
   { flag: '--daemon-bg', description: 'Start the FCM Router daemon in the background' },
   { flag: '--daemon-status', description: 'Print FCM Router daemon status JSON' },
   { flag: '--daemon-stop', description: 'Gracefully stop the FCM Router daemon' },
@@ -48,7 +47,7 @@ const CONFIG_FLAGS = [
 
 const EXAMPLES = [
   'free-coding-models --help',
-  'free-coding-models --web',
+  'free-coding-models --daemon',
   'free-coding-models --daemon-bg',
   'free-coding-models --daemon-status',
   'free-coding-models --sync-set',