openmagic 0.9.0 → 0.10.0

package/dist/cli.js

@@ -10,7 +10,8 @@ import { createInterface } from "readline";
 
 // src/proxy.ts
 import http from "http";
-import { createGunzip, createInflate, createBrotliDecompress } from "zlib";
+import { gunzip, inflate, brotliDecompress } from "zlib";
+import { promisify } from "util";
 import httpProxy from "http-proxy";
 
 // src/security.ts
@@ -31,6 +32,9 @@ function validateToken(token) {
 }
 
 // src/proxy.ts
+var gunzipAsync = promisify(gunzip);
+var inflateAsync = promisify(inflate);
+var brotliAsync = promisify(brotliDecompress);
 function createProxyServer(targetHost, targetPort, serverPort) {
   const proxy = httpProxy.createProxyServer({
     target: `http://${targetHost}:${targetPort}`,
@@ -59,6 +63,11 @@ function createProxyServer(targetHost, targetPort, serverPort) {
       delete headers["content-length"];
       delete headers["content-encoding"];
       delete headers["transfer-encoding"];
+      delete headers["content-security-policy"];
+      delete headers["content-security-policy-report-only"];
+      delete headers["x-content-security-policy"];
+      delete headers["etag"];
+      delete headers["last-modified"];
       res.writeHead(proxyRes.statusCode || 200, headers);
       res.end(body);
     }).catch(() => {
@@ -99,57 +108,32 @@ function createProxyServer(targetHost, targetPort, serverPort) {
   });
   return server;
 }
-function collectBody(stream) {
-  return new Promise((resolve3, reject) => {
-    const encoding = (stream.headers["content-encoding"] || "").toLowerCase();
+async function collectBody(stream) {
+  const rawBuffer = await new Promise((resolve3, reject) => {
     const chunks = [];
-    let source = stream;
+    stream.on("data", (chunk) => chunks.push(chunk));
+    stream.on("end", () => resolve3(Buffer.concat(chunks)));
+    stream.on("error", reject);
+  });
+  const encoding = (stream.headers["content-encoding"] || "").toLowerCase();
+  if (!encoding || encoding === "identity") {
+    return rawBuffer.toString("utf-8");
+  }
+  try {
+    let decompressed;
     if (encoding === "gzip" || encoding === "x-gzip") {
-      const gunzip = createGunzip();
-      stream.pipe(gunzip);
-      source = gunzip;
-      gunzip.on("error", () => {
-        collectRaw(stream).then(resolve3).catch(reject);
-      });
+      decompressed = await gunzipAsync(rawBuffer);
     } else if (encoding === "deflate") {
-      const inflate = createInflate();
-      stream.pipe(inflate);
-      source = inflate;
-      inflate.on("error", () => {
-        collectRaw(stream).then(resolve3).catch(reject);
-      });
+      decompressed = await inflateAsync(rawBuffer);
     } else if (encoding === "br") {
-      const brotli = createBrotliDecompress();
-      stream.pipe(brotli);
-      source = brotli;
-      brotli.on("error", () => {
-        collectRaw(stream).then(resolve3).catch(reject);
-      });
+      decompressed = await brotliAsync(rawBuffer);
+    } else {
+      return rawBuffer.toString("utf-8");
     }
-    source.on("data", (chunk) => chunks.push(chunk));
-    source.on("end", () => {
-      try {
-        resolve3(Buffer.concat(chunks).toString("utf-8"));
-      } catch {
-        reject(new Error("Failed to decode response body"));
-      }
-    });
-    source.on("error", (err) => reject(err));
-  });
-}
-function collectRaw(stream) {
-  return new Promise((resolve3, reject) => {
-    const chunks = [];
-    stream.on("data", (chunk) => chunks.push(chunk));
-    stream.on("end", () => {
-      try {
-        resolve3(Buffer.concat(chunks).toString("utf-8"));
-      } catch {
-        reject(new Error("Failed to decode raw body"));
-      }
-    });
-    stream.on("error", reject);
-  });
+    return decompressed.toString("utf-8");
+  } catch {
+    return rawBuffer.toString("utf-8");
+  }
 }
 function handleToolbarAsset(_req, res, _serverPort) {
   res.writeHead(404, { "Content-Type": "text/plain" });
@@ -181,7 +165,7 @@ import { fileURLToPath } from "url";
 import { WebSocketServer, WebSocket } from "ws";
 
 // src/config.ts
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { readFileSync, writeFileSync, renameSync, mkdirSync, existsSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 var CONFIG_DIR = join(homedir(), ".openmagic");
@@ -208,7 +192,9 @@ function saveConfig(updates) {
     ensureConfigDir();
     const existing = loadConfig();
     const merged = { ...existing, ...updates };
-    writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), "utf-8");
+    const tmpFile = CONFIG_FILE + ".tmp";
+    writeFileSync(tmpFile, JSON.stringify(merged, null, 2), { encoding: "utf-8", mode: 384 });
+    renameSync(tmpFile, CONFIG_FILE);
   } catch (e) {
     console.warn(`[OpenMagic] Warning: Could not save config to ${CONFIG_FILE}: ${e.message}`);
   }
@@ -260,7 +246,8 @@ function isPathSafe(filePath, roots) {
   const resolved = resolve(filePath);
   return roots.some((root) => {
     const resolvedRoot = resolve(root);
-    return resolved.startsWith(resolvedRoot);
+    const rel = relative(resolvedRoot, resolved);
+    return !rel.startsWith("..") && !rel.startsWith("/") && !rel.startsWith("\\");
   });
 }
 function readFileSafe(filePath, roots) {
@@ -1093,8 +1080,10 @@ async function chatOpenAICompatible(provider, model, apiKey, messages, context,
   const apiMessages = [
     { role: "system", content: SYSTEM_PROMPT }
   ];
-  for (const msg of messages) {
-    if (msg.role === "user" && typeof msg.content === "string") {
+  const lastUserIdx = messages.reduce((acc, m, i) => m.role === "user" ? i : acc, -1);
+  for (let i = 0; i < messages.length; i++) {
+    const msg = messages[i];
+    if (msg.role === "user" && typeof msg.content === "string" && i === lastUserIdx) {
       const contextParts = {};
       if (context.selectedElement) {
         contextParts.selectedElement = context.selectedElement.outerHTML;
@@ -1128,6 +1117,8 @@ async function chatOpenAICompatible(provider, model, apiKey, messages, context,
       } else {
         apiMessages.push({ role: "user", content: enrichedContent });
       }
+    } else if (msg.role === "system") {
+      continue;
     } else {
       apiMessages.push({
         role: msg.role,
@@ -1219,9 +1210,11 @@ async function chatOpenAICompatible(provider, model, apiKey, messages, context,
 async function chatAnthropic(model, apiKey, messages, context, onChunk, onDone, onError) {
   const url = "https://api.anthropic.com/v1/messages";
   const apiMessages = [];
-  for (const msg of messages) {
+  const lastUserIdx = messages.reduce((acc, m, i) => m.role === "user" ? i : acc, -1);
+  for (let i = 0; i < messages.length; i++) {
+    const msg = messages[i];
     if (msg.role === "system") continue;
-    if (msg.role === "user" && typeof msg.content === "string") {
+    if (msg.role === "user" && typeof msg.content === "string" && i === lastUserIdx) {
       const contextParts = {};
       if (context.selectedElement) {
         contextParts.selectedElement = context.selectedElement.outerHTML;
@@ -1346,10 +1339,12 @@ async function chatAnthropic(model, apiKey, messages, context, onChunk, onDone,
 async function chatGoogle(model, apiKey, messages, context, onChunk, onDone, onError) {
   const url = `https://generativelanguage.googleapis.com/v1beta/models/${model}:streamGenerateContent?key=${apiKey}&alt=sse`;
   const contents = [];
-  for (const msg of messages) {
+  const lastUserIdx = messages.reduce((acc, m, i) => m.role === "user" ? i : acc, -1);
+  for (let i = 0; i < messages.length; i++) {
+    const msg = messages[i];
     if (msg.role === "system") continue;
     const role = msg.role === "assistant" ? "model" : "user";
-    if (msg.role === "user" && typeof msg.content === "string") {
+    if (msg.role === "user" && typeof msg.content === "string" && i === lastUserIdx) {
       const contextParts = {};
       if (context.selectedElement) {
         contextParts.selectedElement = context.selectedElement.outerHTML;
@@ -1391,9 +1386,7 @@ async function chatGoogle(model, apiKey, messages, context, onChunk, onDone, onE
   const generationConfig = {
     maxOutputTokens: 8192
   };
-  if (thinkingLevel && thinkingLevel !== "none") {
-    generationConfig.thinking_level = thinkingLevel.toUpperCase();
-  }
+  const thinkingConfig = thinkingLevel && thinkingLevel !== "none" ? { thinkingLevel: thinkingLevel.toUpperCase() } : void 0;
   const body = {
     system_instruction: {
       parts: [{ text: SYSTEM_PROMPT }]
@@ -1401,6 +1394,9 @@ async function chatGoogle(model, apiKey, messages, context, onChunk, onDone, onE
     contents,
     generationConfig
   };
+  if (thinkingConfig) {
+    body.thinkingConfig = thinkingConfig;
+  }
   try {
     const response = await fetch(url, {
       method: "POST",
@@ -1524,7 +1520,7 @@ function createOpenMagicServer(proxyPort, roots) {
         "Content-Type": "application/json",
         "Access-Control-Allow-Origin": "*"
       });
-      res.end(JSON.stringify({ status: "ok", version: "0.9.0" }));
+      res.end(JSON.stringify({ status: "ok", version: "0.10.0" }));
       return;
     }
     res.writeHead(404);
@@ -1535,7 +1531,12 @@ function createOpenMagicServer(proxyPort, roots) {
     path: "/__openmagic__/ws"
   });
   const clientStates = /* @__PURE__ */ new WeakMap();
-  wss.on("connection", (ws) => {
+  wss.on("connection", (ws, req) => {
+    const origin = req.headers.origin || "";
+    if (origin && !origin.startsWith("http://localhost") && !origin.startsWith("http://127.0.0.1")) {
+      ws.close(4003, "Forbidden origin");
+      return;
+    }
     clientStates.set(ws, { authenticated: false });
     ws.on("message", async (data) => {
       let msg;
@@ -1582,7 +1583,7 @@ async function handleMessage(ws, msg, state, roots, _proxyPort) {
         id: msg.id,
         type: "handshake.ok",
         payload: {
-          version: "0.9.0",
+          version: "0.10.0",
           roots,
           config: {
             provider: config.provider,
@@ -1635,7 +1636,8 @@ async function handleMessage(ws, msg, state, roots, _proxyPort) {
     case "llm.chat": {
       const payload = msg.payload;
       const config = loadConfig();
-      if (!config.apiKey) {
+      const providerMeta = MODEL_REGISTRY?.[payload.provider || config.provider || ""];
+      if (!config.apiKey && !providerMeta?.local) {
         sendError(ws, "config_error", "API key not configured", msg.id);
         return;
       }
@@ -1679,7 +1681,6 @@ async function handleMessage(ws, msg, state, roots, _proxyPort) {
       if (payload.provider !== void 0) updates.provider = payload.provider;
       if (payload.model !== void 0) updates.model = payload.model;
       if (payload.apiKey !== void 0) updates.apiKey = payload.apiKey;
-      if (payload.roots !== void 0) updates.roots = payload.roots;
       saveConfig(updates);
       send(ws, {
         id: msg.id,
@@ -1913,7 +1914,7 @@ process.on("uncaughtException", (err) => {
   process.exit(1);
 });
 var childProcesses = [];
-var VERSION = "0.9.0";
+var VERSION = "0.10.0";
 function ask(question) {
   const rl = createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve3) => {
@@ -2048,6 +2049,11 @@ program.name("openmagic").description("AI-powered coding toolbar for any web app
       if (!started) {
         process.exit(1);
       }
+      const recheck = await detectDevServer();
+      if (recheck) {
+        targetPort = recheck.port;
+        targetHost = recheck.host;
+      }
     }
   } else {
     console.log(chalk.dim("  Scanning for dev server..."));