pi-free 2.2.2 → 2.2.4

package/providers/qoder/cosy.ts

@@ -0,0 +1,236 @@
+/**
+ * COSY cryptographic signing for Qoder API authentication.
+ *
+ * Qoder uses a proprietary signing scheme (COSY) that combines RSA-encrypted
+ * AES keys, AES-CBC-encrypted user info, and MD5 payload signing. This module
+ * reimplements the same algorithm used by the official qodercli binary.
+ *
+ * The auth flow:
+ *   1. Generate a random 16-byte AES key
+ *   2. AES-CBC-encrypt user info (uid, auth token, name, email) with it
+ *   3. RSA-encrypt the AES key with Qoder's public key
+ *   4. Build a COSY payload: { version, requestId, info, cosyVersion, ideVersion }
+ *   5. MD5-hash: payloadB64 + "\n" + cosyKey + "\n" + timestamp + "\n" + body + "\n" + sigPath
+ *   6. Send as Authorization: Bearer COSY.{payloadB64}.{sig} + 15 Cosy-* headers
+ */
+
+import crypto from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+
+const QODER_RSA_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA8iMH5c02LilrsERw9t6Pv5Nc
+4k6Pz1EaDicBMpdpxKduSZu5OANqUq8er4GM95omAGIOPOh+Nx0spthYA2BqGz+l
+6HRkPJ7S236FZz73In/KVuLnwI8JJ2CbuJap8kvheCCZpmAWpb/cPx/3Vr/J6I17
+XcW+ML9FoCI6AOvOzwIDAQAB
+-----END PUBLIC KEY-----`;
+
+const QODER_IDE_VERSION = "1.0.0";
+const QODER_CLIENT_TYPE = "5";
+const QODER_DATA_POLICY = "disagree";
+const QODER_LOGIN_VERSION = "v2";
+const QODER_MACHINE_OS = "x86_64_windows";
+const QODER_MACHINE_TYPE_MAGIC = "5";
+
+interface UserInfo {
+	uid: string;
+	security_oauth_token: string;
+	name: string;
+	aid: string;
+	email: string;
+}
+
+interface CosyPayload {
+	version: string;
+	requestId: string;
+	info: string;
+	cosyVersion: string;
+	ideVersion: string;
+}
+
+export interface CosyCredentials {
+	userID: string;
+	authToken: string;
+	name: string;
+	email: string;
+	machineID?: string;
+}
+
+type BodyInput = Buffer | string | null;
+
+function bodyToUtf8(body: BodyInput): string {
+	if (!body) return "";
+	if (Buffer.isBuffer(body)) return body.toString("utf8");
+	return body;
+}
+
+function bodyToLengthString(body: BodyInput): string {
+	if (!body) return "0";
+	if (Buffer.isBuffer(body)) return String(body.length);
+	return String(Buffer.from(body).length);
+}
+
+function rsaEncryptBase64(data: Buffer | string): string {
+	const key = {
+		key: QODER_RSA_PUBLIC_KEY,
+		padding: crypto.constants.RSA_PKCS1_PADDING,
+	};
+	const encrypted = crypto.publicEncrypt(
+		key,
+		typeof data === "string" ? Buffer.from(data) : data,
+	);
+	return encrypted.toString("base64");
+}
+
+/**
+ * Encrypt plaintext with AES-128-CBC using the same key for both key and IV.
+ *
+ * NOTE: Using key as IV is insecure in general and would be flagged by static
+ * analysis tools. However, this is a strict requirement of Qoder's COSY protocol
+ * (reverse-engineered from the official CLI). Changing the mode or IV derivation
+ * will cause authentication failures.
+ *
+ * @param plaintext - Data to encrypt
+ * @param keyStr - 16-byte hex key (also used as IV per protocol spec)
+ * @returns Base64-encoded ciphertext
+ */
+function aesEncryptCBCBase64(plaintext: string, keyStr: string): string {
+	// sonar-security: AES-CBC with key-as-IV is protocol-mandatory for Qoder COSY auth
+	const cipher = crypto.createCipheriv(
+		"aes-128-cbc",
+		Buffer.from(keyStr),
+		Buffer.from(keyStr),
+	);
+	let encrypted = cipher.update(plaintext, "utf8", "base64");
+	encrypted += cipher.final("base64");
+	return encrypted;
+}
+
+function computeSigPath(urlStr: string): string {
+	try {
+		const parsed = new URL(urlStr);
+		let sigPath = parsed.pathname;
+		if (sigPath.startsWith("/algo")) {
+			sigPath = sigPath.slice("/algo".length);
+		}
+		return sigPath;
+	} catch {
+		return "";
+	}
+}
+
+/**
+ * Get or create a persistent machine ID.
+ * Checks ~/.qoder/.auth/machine_id first, then falls back to ~/.pi/agent/qoder-machine-id.
+ */
+export function getMachineId(): string {
+	const paths = [
+		join(homedir(), ".qoder", ".auth", "machine_id"),
+		join(homedir(), ".pi", "agent", "qoder-machine-id"),
+	];
+	for (const p of paths) {
+		if (existsSync(p)) {
+			try {
+				const val = readFileSync(p, "utf8").trim();
+				if (val) return val;
+			} catch {
+				// Ignore read errors
+			}
+		}
+	}
+	const newId = crypto.randomUUID();
+	try {
+		const savePath = paths[1];
+		mkdirSync(dirname(savePath), { recursive: true });
+		writeFileSync(savePath, newId, "utf8");
+	} catch {
+		// Best-effort
+	}
+	return newId;
+}
+
+/**
+ * Build all COSY authentication headers for a Qoder API request.
+ *
+ * @param body - Request body (Buffer or string), or null for GET requests
+ * @param requestURL - Full URL being requested
+ * @param creds - COSY credentials (userID, authToken, name, email, machineID)
+ * @returns Record of headers to include in the request
+ */
+export function buildAuthHeaders(
+	body: Buffer | string | null,
+	requestURL: string,
+	creds: CosyCredentials,
+): Record<string, string> {
+	if (!creds.userID) {
+		throw new Error("cosy: user id is empty");
+	}
+	if (!creds.authToken) {
+		throw new Error("cosy: auth token is empty");
+	}
+
+	const aesKey = crypto.randomUUID().replaceAll(/-/g, "").slice(0, 16);
+	const userInfo: UserInfo = {
+		uid: creds.userID,
+		security_oauth_token: creds.authToken,
+		name: creds.name || "",
+		aid: "",
+		email: creds.email || "",
+	};
+
+	const infoB64 = aesEncryptCBCBase64(JSON.stringify(userInfo), aesKey);
+	const cosyKey = rsaEncryptBase64(aesKey);
+
+	const timestamp = Math.floor(Date.now() / 1000).toString();
+	const requestId = crypto.randomUUID();
+
+	const cosyPayload: CosyPayload = {
+		version: "v1",
+		requestId,
+		info: infoB64,
+		cosyVersion: QODER_IDE_VERSION,
+		ideVersion: "",
+	};
+
+	const payloadB64 = Buffer.from(JSON.stringify(cosyPayload)).toString(
+		"base64",
+	);
+	const sigPath = computeSigPath(requestURL);
+
+	const bodyStr = bodyToUtf8(body);
+	const sigInput = `${payloadB64}\n${cosyKey}\n${timestamp}\n${bodyStr}\n${sigPath}`;
+	// sonar-security: MD5 is protocol-mandatory for COSY signature (reverse-engineered from Qoder CLI)
+	const sig = crypto.createHash("md5").update(sigInput).digest("hex");
+
+	// sonar-security: MD5 is protocol-mandatory for COSY body hash (reverse-engineered from Qoder CLI)
+	const bodyHash = crypto
+		.createHash("md5")
+		.update(body || "")
+		.digest("hex");
+	const bodyLen = bodyToLengthString(body);
+
+	const machineID = creds.machineID || getMachineId();
+
+	return {
+		Authorization: `Bearer COSY.${payloadB64}.${sig}`,
+		"Cosy-Key": cosyKey,
+		"Cosy-User": creds.userID,
+		"Cosy-Date": timestamp,
+		"Cosy-Version": QODER_IDE_VERSION,
+		"Cosy-Machineid": machineID,
+		"Cosy-Machinetoken": machineID,
+		"Cosy-Machinetype": QODER_MACHINE_TYPE_MAGIC,
+		"Cosy-Machineos": QODER_MACHINE_OS,
+		"Cosy-Clienttype": QODER_CLIENT_TYPE,
+		"Cosy-Clientip": "127.0.0.1",
+		"Cosy-Bodyhash": bodyHash,
+		"Cosy-Bodylength": bodyLen,
+		"Cosy-Sigpath": sigPath,
+		"Cosy-Data-Policy": QODER_DATA_POLICY,
+		"Cosy-Organization-Id": "",
+		"Cosy-Organization-Tags": "",
+		"Login-Version": QODER_LOGIN_VERSION,
+		"X-Request-Id": crypto.randomUUID(),
+	};
+}

package/providers/qoder/encoding.ts

@@ -0,0 +1,48 @@
+/**
+ * Qoder WAF bypass body encoding.
+ *
+ * Qoder's API uses a custom base64 variant with a scrambled alphabet and
+ * rearranged segments to evade WAF detection. This is the same encoding
+ * used by the official qodercli binary.
+ *
+ * The algorithm:
+ *   1. Take the standard base64 of the input
+ *   2. Rearrange segments: last N/3 chars + middle N-2N/3 chars + first N/3 chars
+ *   3. Substitute each character through a custom alphabet
+ *   4. Replace '=' padding with '$'
+ */
+
+const QODER_CUSTOM_ALPHABET =
+	"_doRTgHZBKcGVjlvpC,@aFSx#DPuNJme&i*MzLOEn)sUrthbf%Y^w.(kIQyXqWA!";
+const QODER_STD_ALPHABET =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+/**
+ * Encode a body string or buffer using Qoder's custom WAF-bypass encoding.
+ *
+ * @param plaintext - String or Buffer to encode
+ * @returns Encoded string ready for transmission
+ */
+export function qoderEncodeBody(plaintext: string | Buffer): string {
+	const std = Buffer.isBuffer(plaintext)
+		? plaintext.toString("base64")
+		: Buffer.from(plaintext).toString("base64");
+	const n = std.length;
+	const a = Math.floor(n / 3);
+	const rearranged = std.slice(n - a) + std.slice(a, n - a) + std.slice(0, a);
+	let out = "";
+	for (let i = 0; i < n; i++) {
+		const c = rearranged[i];
+		if (c === "=") {
+			out += "$";
+		} else {
+			const idx = QODER_STD_ALPHABET.indexOf(c);
+			if (idx >= 0) {
+				out += QODER_CUSTOM_ALPHABET[idx];
+			} else {
+				out += c;
+			}
+		}
+	}
+	return out;
+}

package/providers/qoder/models.ts

@@ -0,0 +1,321 @@
+/**
+ * Qoder model definitions and cache management.
+ *
+ * Qoder provides a static set of models (all at zero cost) with the option
+ * to dynamically discover more from the `/algo/api/v2/model/list` endpoint.
+ * The dynamic list is cached at `~/.pi/agent/qoder-models-cache.json` with
+ * a 1-hour TTL and falls back to the static models on cache miss or API error.
+ *
+ * ALL Qoder models are free — no pricing data needed.
+ */
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import type { ProviderModelConfig } from "@earendil-works/pi-coding-agent";
+import { buildAuthHeaders } from "./cosy.ts";
+
+// ─── Cache ───────────────────────────────────────────────────────────────────
+
+const CACHE_PATH = join(homedir(), ".pi", "agent", "qoder-models-cache.json");
+
+const ZERO_COST = Object.freeze({
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0,
+});
+
+// ─── Static model list ───────────────────────────────────────────────────────
+
+/**
+ * Static model definitions for Qoder.
+ * All models are free (zero cost) — no paid tier exists.
+ * These serve as the fallback when the dynamic API is unreachable.
+ */
+export const staticModels: ProviderModelConfig[] = [
+	{
+		id: "auto",
+		name: "Qoder Auto",
+		reasoning: true,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 180_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "ultimate",
+		name: "Qoder Ultimate",
+		reasoning: true,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "performance",
+		name: "Qoder Performance",
+		reasoning: true,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "efficient",
+		name: "Qoder Efficient",
+		reasoning: false,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 180_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "lite",
+		name: "Qoder Lite",
+		reasoning: false,
+		input: ["text"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 180_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "qmodel",
+		name: "Qwen3.7 Plus (Qoder)",
+		reasoning: false,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "qmodel_latest",
+		name: "Qwen3.7 Max (Qoder)",
+		reasoning: false,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "dmodel",
+		name: "DeepSeek V4 Pro (Qoder)",
+		reasoning: true,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "dfmodel",
+		name: "DeepSeek V4 Flash (Qoder)",
+		reasoning: true,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "gm51model",
+		name: "GLM 5.1 (Qoder)",
+		reasoning: true,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 180_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "kmodel",
+		name: "Kimi K2.6 (Qoder)",
+		reasoning: false,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 256_000,
+		maxTokens: 32_768,
+	},
+	{
+		id: "mmodel",
+		name: "MiniMax M3 (Qoder)",
+		reasoning: false,
+		input: ["text", "image"] as ("text" | "image")[],
+		cost: ZERO_COST,
+		contextWindow: 1_000_000,
+		maxTokens: 32_768,
+	},
+];
+
+// ─── Dynamic model API ───────────────────────────────────────────────────────
+
+interface QoderModelEntry {
+	key?: string;
+	enable?: boolean;
+	display_name?: string;
+	max_input_tokens?: number;
+	max_output_tokens?: number;
+	context_config?: Record<string, { token_count?: number }>;
+	is_vl?: boolean;
+	is_reasoning?: boolean;
+	thinking_config?: { enabled?: { efforts?: unknown } };
+	source?: string;
+	[key: string]: unknown;
+}
+
+// ─── Cache management ────────────────────────────────────────────────────────
+
+function modelEntryToConfig(
+	entry: QoderModelEntry,
+): ProviderModelConfig | null {
+	const key = entry.key;
+	if (!key || !entry.enable) return null;
+
+	const display = entry.display_name || key;
+	const ctxLen = resolveContextLength(entry);
+	const isVL = Boolean(entry.is_vl);
+	const isReasoning = Boolean(entry.is_reasoning) || Boolean(entry.thinking_config);
+	const input: ("text" | "image")[] = isVL ? ["text", "image"] : ["text"];
+
+	return {
+		id: key,
+		name: display,
+		reasoning: isReasoning,
+		input,
+		cost: ZERO_COST,
+		contextWindow: ctxLen,
+		maxTokens: entry.max_output_tokens || 32_768,
+	};
+}
+
+function resolveContextLength(entry: QoderModelEntry): number {
+	let ctxLen = entry.max_input_tokens || 180_000;
+	if (entry.context_config && typeof entry.context_config === "object") {
+		for (const val of Object.values(entry.context_config)) {
+			if (
+				val &&
+				typeof val === "object" &&
+				typeof (val as Record<string, unknown>).token_count === "number"
+			) {
+				const tc = (val as Record<string, number>).token_count;
+				if (tc > ctxLen) ctxLen = tc;
+			}
+		}
+	}
+	return ctxLen;
+}
+
+/** Get models from cache, falling back to static models. */
+export function getCachedModels(): ProviderModelConfig[] {
+	if (existsSync(CACHE_PATH)) {
+		try {
+			const data = JSON.parse(readFileSync(CACHE_PATH, "utf8"));
+			if (data && Array.isArray(data.models)) {
+				return data.models as ProviderModelConfig[];
+			}
+		} catch {
+			// Fall through to static
+		}
+	}
+	return staticModels;
+}
+
+/** Check if the local model cache is stale (>1 hour old). */
+export function isCacheStale(): boolean {
+	if (!existsSync(CACHE_PATH)) return true;
+	try {
+		const data = JSON.parse(readFileSync(CACHE_PATH, "utf8"));
+		if (!data || typeof data.updatedAt !== "number") return true;
+		return Date.now() - data.updatedAt > 3_600_000; // 1 hour
+	} catch {
+		return true;
+	}
+}
+
+/**
+ * Fetch available models from Qoder's dynamic model list API and cache them.
+ * Falls back silently if the API is unreachable.
+ */
+export async function updateQoderModelsCache(
+	authToken: string,
+	userID: string,
+	name: string,
+	email: string,
+): Promise<void> {
+	const modelListURL = "https://api3.qoder.sh/algo/api/v2/model/list";
+	try {
+		const headers = buildAuthHeaders(null, modelListURL, {
+			userID,
+			authToken,
+			name,
+			email,
+		});
+
+		const response = await fetch(modelListURL, {
+			method: "GET",
+			headers: {
+				Accept: "application/json",
+				...headers,
+			},
+		});
+
+		if (!response.ok) return;
+
+		const resData = (await response.json()) as {
+			chat?: QoderModelEntry[];
+		};
+		const chatModels = resData.chat || [];
+		if (chatModels.length === 0) return;
+
+		const newModels: ProviderModelConfig[] = [];
+		const configs: Record<string, QoderModelEntry> = {};
+
+		for (const entry of chatModels) {
+			const model = modelEntryToConfig(entry);
+			if (!model) continue;
+			configs[model.id] = entry;
+			newModels.push(model);
+		}
+
+		if (newModels.length === 0) return;
+
+		// Ensure the auto router model is present
+		if (!newModels.some((m) => m.id === "auto")) {
+			newModels.unshift({
+				id: "auto",
+				name: "Qoder Auto",
+				reasoning: true,
+				input: ["text", "image"] as ("text" | "image")[],
+				cost: ZERO_COST,
+				contextWindow: 180_000,
+				maxTokens: 32_768,
+			});
+		}
+
+		const cacheData = {
+			updatedAt: Date.now(),
+			models: newModels,
+			configs,
+		};
+
+		mkdirSync(dirname(CACHE_PATH), { recursive: true });
+		writeFileSync(CACHE_PATH, JSON.stringify(cacheData, null, 2), "utf-8");
+	} catch {
+		// Best-effort
+	}
+}
+
+/**
+ * Get the cached model config for a specific model key.
+ * Used to determine per-model settings (reasoning, max tokens, etc.) at stream time.
+ */
+export function getCachedModelConfig(modelKey: string): QoderModelEntry | null {
+	if (existsSync(CACHE_PATH)) {
+		try {
+			const data = JSON.parse(readFileSync(CACHE_PATH, "utf8"));
+			if (data?.configs?.[modelKey]) {
+				return data.configs[modelKey] as QoderModelEntry;
+			}
+		} catch {
+			// Fall through
+		}
+	}
+	return null;
+}