pi-windsurf-beta 0.1.3

package/oauth.ts

@@ -0,0 +1,290 @@
+/**
+ * OAuth login + RegisterUser + credential storage.
+ */
+import * as http from "http";
+import * as crypto from "crypto";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { spawn } from "child_process";
+
+// ----------------------------------------------------------------------------
+// Types
+// ----------------------------------------------------------------------------
+
+export interface OAuthLoginResult {
+  apiKey: string;
+  name: string;
+  apiServerUrl: string;
+  redirectUrl?: string;
+}
+
+export interface WindsurfRegion {
+  website: string;
+  registerApiServerUrl: string;
+  oauthClientId: string;
+}
+
+export const DEFAULT_REGION: WindsurfRegion = {
+  website: "https://windsurf.com",
+  registerApiServerUrl: "https://register.windsurf.com",
+  oauthClientId: "3GUryQ7ldAeKEuD2obYnppsnmj58eP5u",
+};
+
+export interface PersistedCredentials extends OAuthLoginResult {
+  issuedAt: string;
+  oauthClientId: string;
+}
+
+// ----------------------------------------------------------------------------
+// RegisterUser
+// ----------------------------------------------------------------------------
+
+function anySignal(signals: AbortSignal[]): AbortSignal {
+  const builtin = (AbortSignal as unknown as { any?: (s: AbortSignal[]) => AbortSignal }).any;
+  if (typeof builtin === "function") return builtin(signals);
+  const controller = new AbortController();
+  const onAbort = (reason: unknown): void => {
+    if (!controller.signal.aborted) controller.abort(reason);
+  };
+  for (const s of signals) {
+    if (s.aborted) { onAbort(s.reason); break; }
+    s.addEventListener("abort", () => onAbort(s.reason), { once: true });
+  }
+  return controller.signal;
+}
+
+export class WindsurfRegistrationError extends Error {
+  readonly status: number;
+  readonly connectCode?: string;
+  readonly traceId?: string;
+  constructor(message: string, status: number, connectCode?: string, traceId?: string) {
+    super(message);
+    this.name = "WindsurfRegistrationError";
+    this.status = status;
+    this.connectCode = connectCode;
+    this.traceId = traceId;
+  }
+}
+
+const TRACE_ID_RE = /\(trace ID: ([0-9a-f]+)\)/i;
+
+export async function registerUser(
+  firebaseIdToken: string,
+  region: WindsurfRegion,
+  abortSignal?: AbortSignal,
+): Promise<OAuthLoginResult> {
+  const url = `${region.registerApiServerUrl.replace(/\/$/, "")}/exa.seat_management_pb.SeatManagementService/RegisterUser`;
+  const timeoutSignal = AbortSignal.timeout(30_000);
+  const combinedSignal = abortSignal ? anySignal([abortSignal, timeoutSignal]) : timeoutSignal;
+
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "Connect-Protocol-Version": "1" },
+    body: JSON.stringify({ firebase_id_token: firebaseIdToken }),
+    signal: combinedSignal,
+  });
+  const text = await response.text();
+
+  if (!response.ok) {
+    let connectCode: string | undefined;
+    let message = text || `RegisterUser failed with HTTP ${response.status}`;
+    try {
+      const errJson = JSON.parse(text) as { code?: string; message?: string };
+      connectCode = errJson.code;
+      if (errJson.message) message = errJson.message;
+    } catch {}
+    const traceMatch = message.match(TRACE_ID_RE);
+    throw new WindsurfRegistrationError(message, response.status, connectCode, traceMatch?.[1]);
+  }
+
+  const parsed = JSON.parse(text) as { api_key?: string; name?: string; api_server_url?: string; redirect_url?: string };
+  const apiKey = parsed.api_key;
+  const name = parsed.name;
+  const apiServerUrl = parsed.api_server_url && parsed.api_server_url.length > 0 ? parsed.api_server_url : "https://server.codeium.com";
+
+  if (!apiKey) throw new WindsurfRegistrationError("RegisterUser returned 200 but api_key was empty", response.status, "malformed_response");
+  if (!name) throw new WindsurfRegistrationError("RegisterUser returned 200 but name was empty", response.status, "malformed_response");
+
+  return { apiKey, name, apiServerUrl, redirectUrl: parsed.redirect_url };
+}
+
+// ----------------------------------------------------------------------------
+// Credential Storage
+// ----------------------------------------------------------------------------
+
+const APP_DIR_NAME = "opencode-windsurf-auth";
+const CREDS_FILENAME = "credentials.json";
+
+export function getCredentialsDir(): string {
+  return path.join(os.homedir(), ".config", APP_DIR_NAME);
+}
+
+export function getCredentialsPath(): string {
+  return path.join(getCredentialsDir(), CREDS_FILENAME);
+}
+
+function ensureDir(): void {
+  const dir = getCredentialsDir();
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+}
+
+export function loadCredentials(): PersistedCredentials | null {
+  const p = getCredentialsPath();
+  if (!fs.existsSync(p)) return null;
+  const raw = fs.readFileSync(p, "utf8");
+  const parsed = JSON.parse(raw) as Record<string, unknown>;
+  if (typeof parsed.apiKey !== "string" || !parsed.apiKey ||
+      typeof parsed.name !== "string" || !parsed.name ||
+      typeof parsed.apiServerUrl !== "string" || !parsed.apiServerUrl) {
+    throw new Error(`Credentials file at ${p} is missing required fields.`);
+  }
+  return parsed as unknown as PersistedCredentials;
+}
+
+export function saveCredentials(creds: PersistedCredentials): void {
+  ensureDir();
+  const p = getCredentialsPath();
+  fs.writeFileSync(p, JSON.stringify(creds, null, 2), { mode: 0o600 });
+}
+
+export function deleteCredentials(): boolean {
+  const p = getCredentialsPath();
+  if (!fs.existsSync(p)) return false;
+  fs.unlinkSync(p);
+  return true;
+}
+
+// ----------------------------------------------------------------------------
+// Login flow — loopback callback
+// ----------------------------------------------------------------------------
+
+interface CallbackResult { token: string; state: string; }
+
+export async function runLoginLoopback(
+  region: WindsurfRegion,
+  onUrl: (url: string) => void,
+  signal?: AbortSignal,
+): Promise<string> {
+  const state = crypto.randomUUID();
+  const server = await startCallbackServer();
+  const callbackUrl = `http://127.0.0.1:${server.port}/auth`;
+  const loginUrl = buildLoginUrl(region, callbackUrl, "query", state);
+
+  const callbackPromise = server.callback(state);
+  callbackPromise.catch(() => {});
+
+  onUrl(loginUrl);
+  await openBrowser(loginUrl).catch(() => {});
+
+  const callback = await waitWithTimeout(callbackPromise, 5 * 60 * 1000, signal, "Sign-in timed out.");
+
+  if (!callback.token) throw new Error("OAuth callback delivered an empty token.");
+  server.close();
+  return callback.token;
+}
+
+function buildLoginUrl(region: WindsurfRegion, redirectUri: string, redirectParametersType: "query" | "fragment", state: string): string {
+  const params = new URLSearchParams([
+    ["response_type", "token"],
+    ["client_id", region.oauthClientId],
+    ["redirect_uri", redirectUri],
+    ["state", state],
+    ["prompt", "login"],
+    ["redirect_parameters_type", redirectParametersType],
+  ]);
+  return `${region.website.replace(/\/$/, "")}/windsurf/signin?${params.toString()}`;
+}
+
+interface CallbackServer {
+  port: number;
+  close: () => void;
+  callback: (expectedState: string) => Promise<CallbackResult>;
+}
+
+function startCallbackServer(): Promise<CallbackServer> {
+  return new Promise((resolve, reject) => {
+    let captured: { token: string; state: string } | null = null;
+    const waiters: Array<{ state: string; resolve: (r: CallbackResult) => void; reject: (e: Error) => void }> = [];
+
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      if (url.pathname !== "/auth") { res.writeHead(404); res.end("Not Found"); return; }
+
+      const tokenParam = url.searchParams.get("firebase_id_token") ?? url.searchParams.get("access_token") ?? url.searchParams.get("token");
+      const stateParam = url.searchParams.get("state") ?? "";
+
+      if (!tokenParam) {
+        const html = `<!doctype html><html><head><meta charset="utf-8"></head><body><script>(function(){var h=window.location.hash.replace(/^#/,'');if(!h){document.body.innerText='No token in URL.';return}window.location.replace('/auth?'+h);})();</script></body></html>`;
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(html);
+        return;
+      }
+
+      const matchedWaiter = waiters.find(w => w.state === stateParam);
+      if (!matchedWaiter) {
+        renderResponse(res, false, "Unexpected callback — does not match any active sign-in attempt. Close this tab.");
+        return;
+      }
+      captured = { token: tokenParam, state: stateParam };
+      renderResponse(res, true, "Sign-in complete — you can close this tab.");
+      for (let i = waiters.length - 1; i >= 0; i--) {
+        const w = waiters[i];
+        if (w.state === captured.state) { w.resolve(captured); waiters.splice(i, 1); }
+      }
+    });
+
+    server.on("error", reject);
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") { reject(new Error("Failed to bind")); return; }
+      resolve({
+        port: addr.port,
+        close: () => server.close(),
+        callback: (expectedState: string) => new Promise((res, rej) => {
+          if (captured) res({ token: captured.token, state: captured.state });
+          else waiters.push({ state: expectedState, resolve: res, reject: rej });
+        }),
+      });
+    });
+  });
+}
+
+function renderResponse(res: http.ServerResponse, ok: boolean, message: string): void {
+  const html = `<!doctype html><html><head><meta charset="utf-8"><title>Pi Windsurf</title><style>body{font:14px -apple-system,sans-serif;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#0b0d12;color:#e7e9ee}.card{max-width:520px;padding:28px 32px;border-radius:14px;background:#151823;border:1px solid #232838;text-align:center}h1{font-size:18px;margin:0 0 10px;color:${ok ? "#71d784" : "#ff8585"}}p{margin:6px 0;color:#9aa3b2}</style></head><body><div class="card"><h1>${ok ? "Signed in" : "Sign-in failed"}</h1><p>${escapeHtml(message)}</p></div></body></html>`;
+  res.writeHead(ok ? 200 : 400, { "Content-Type": "text/html; charset=utf-8", "Cache-Control": "no-store" });
+  res.end(html);
+}
+
+function escapeHtml(s: string): string {
+  return s.replace(/[&<>"']/g, c => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c] ?? c);
+}
+
+async function openBrowser(url: string): Promise<void> {
+  const cmds = process.platform === "darwin" ? [{ cmd: "open", args: [url] }]
+    : process.platform === "win32" ? [{ cmd: "cmd", args: ["/c", "start", '""', url] }]
+    : [{ cmd: "xdg-open", args: [url] }, { cmd: "sensible-browser", args: [url] }];
+
+  for (const c of cmds) {
+    const ok = await new Promise<boolean>(resolve => {
+      const child = spawn(c.cmd, c.args, { stdio: "ignore", detached: true });
+      child.on("error", () => resolve(false));
+      child.on("spawn", () => { child.unref(); resolve(true); });
+    });
+    if (ok) return;
+  }
+  throw new Error(`Unable to open browser. Open this URL manually:\n  ${url}`);
+}
+
+function waitWithTimeout<T>(p: Promise<T>, timeoutMs: number, signal: AbortSignal | undefined, msg: string): Promise<T> {
+  return new Promise((resolve, reject) => {
+    const onAbort = () => { cleanup(); reject(new Error("Sign-in cancelled.")); };
+    const timer = setTimeout(() => { cleanup(); reject(new Error(msg)); }, timeoutMs);
+    const cleanup = () => { clearTimeout(timer); if (signal) signal.removeEventListener("abort", onAbort); };
+    if (signal) {
+      if (signal.aborted) { onAbort(); return; }
+      signal.addEventListener("abort", onAbort, { once: true });
+    }
+    p.then(v => { cleanup(); resolve(v); }, e => { cleanup(); reject(e); });
+  });
+}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "pi-windsurf-beta",
+  "version": "0.1.3",
+  "description": "Windsurf/Cognition models in Pi — Claude, GPT, Gemini, Kimi, DeepSeek, SWE via your Windsurf subscription",
+  "author": "dunghoitao",
+  "license": "MIT",
+  "keywords": [
+    "pi-package",
+    "pi",
+    "windsurf",
+    "cognition",
+    "codeium",
+    "ai",
+    "llm",
+    "provider"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/khanhdeptraivaicachuong/pi-windsurf-beta.git"
+  },
+  "pi": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "files": [
+    "*.ts",
+    "README.md",
+    "LICENSE"
+  ],
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "type": "commonjs",
+  "bugs": {
+    "url": "https://github.com/khanhdeptraivaicachuong/pi-windsurf-beta/issues"
+  },
+  "homepage": "https://github.com/khanhdeptraivaicachuong/pi-windsurf-beta#readme"
+}

package/proxy.ts

@@ -0,0 +1,350 @@
+/**
+ * OpenAI-compatible HTTP proxy → Cognition Connect-RPC.
+ *
+ * Binds at 127.0.0.1:42100 (or fallback port). Accepts standard
+ * /v1/chat/completions and /v1/models requests, translates to
+ * WindSurf's cloud-direct GetChatMessage wire format.
+ */
+import * as crypto from "crypto";
+import { createServer, type IncomingMessage, type ServerResponse } from "http";
+import { streamChatEvents, CloudChatError, type ChatHistoryItem, type ToolDef } from "./chat";
+import { resolveModelOrPassthrough, getDefaultModel, getCanonicalModels } from "./models";
+import { loadCredentials } from "./oauth";
+
+const WINDSURF_PROXY_HOST = "127.0.0.1";
+const WINDSURF_PROXY_PORT = 42100;
+
+// Per-process secret — same-process callers use this as Bearer token.
+export const PROXY_SECRET: string = crypto.randomBytes(32).toString("hex");
+
+// In-memory credentials cache — set from extension on startup/after login
+export let proxyCredentials: { apiKey: string; apiServerUrl: string } | null = null;
+export function setProxyCredentials(creds: { apiKey: string; apiServerUrl: string } | null): void {
+  proxyCredentials = creds;
+}
+
+// ----------------------------------------------------------------------------
+// Proxy handler (Node http server)
+// ----------------------------------------------------------------------------
+
+interface ChatCompletionRequest {
+  model?: string;
+  messages: Array<{
+    role: string;
+    content: string | Array<{ type: string; text?: string; image_url?: { url: string } }>;
+    tool_call_id?: string;
+    tool_calls?: Array<{ id?: string; type?: string; function?: { name?: string; arguments?: string } }>;
+  }>;
+  stream?: boolean;
+  temperature?: number;
+  max_tokens?: number;
+  tools?: Array<{ type?: string; function?: { name?: string; description?: string; parameters?: Record<string, unknown> } }>;
+  providerOptions?: Record<string, unknown>;
+}
+
+function mapMessageToHistoryItem(m: ChatCompletionRequest["messages"][number]): ChatHistoryItem {
+  const item: ChatHistoryItem = { role: m.role as ChatHistoryItem["role"], content: m.content as ChatHistoryItem["content"] };
+  if (m.role === "tool" && typeof m.tool_call_id === "string" && m.tool_call_id.length > 0) {
+    item.tool_call_id = m.tool_call_id;
+  }
+  if (m.role === "assistant" && Array.isArray(m.tool_calls) && m.tool_calls.length > 0) {
+    item.tool_calls = m.tool_calls
+      .map(tc => ({ id: typeof tc.id === "string" ? tc.id : "", name: typeof tc.function?.name === "string" ? tc.function.name : "", arguments: typeof tc.function?.arguments === "string" ? tc.function.arguments : "" }))
+      .filter(tc => tc.id !== "" && tc.name !== "");
+  }
+  return item;
+}
+
+function extractVariantFromProviderOptions(providerOptions: Record<string, unknown> | undefined): string | undefined {
+  if (!providerOptions) return undefined;
+  const windsurfRaw = providerOptions["windsurf"];
+  const windsurf = windsurfRaw && typeof windsurfRaw === "object" ? (windsurfRaw as Record<string, unknown>) : undefined;
+  const pickString = (v: unknown): string | undefined => (typeof v === "string" ? v : undefined);
+  return pickString(windsurf?.["variant"]) ?? pickString(windsurf?.["variantID"]) ?? pickString(windsurf?.["variantId"]) ?? pickString(providerOptions["variant"]) ?? pickString(providerOptions["variantID"]) ?? pickString(providerOptions["variantId"]);
+}
+
+function openAIError(status: number, message: string, details?: string): object {
+  return { status, body: JSON.stringify({ error: { message: details ? `${message}\n${details}` : message, type: "windsurf_error", param: null, code: null } }), contentType: "application/json" };
+}
+
+async function authorizeRequest(req: IncomingMessage): Promise<{ status: number; body: string; contentType: string } | null> {
+  const authHeader = (req.headers.authorization ?? "") as string;
+  if (!authHeader.startsWith("Bearer ")) {
+    return { status: 401, body: JSON.stringify({ error: { message: "Unauthorized: missing or malformed Authorization header.", type: "windsurf_error" } }), contentType: "application/json" };
+  }
+  const presented = authHeader.slice("Bearer ".length);
+  const presentedBuf = Buffer.from(presented, "utf8");
+
+  // Accept per-process secret
+  const secretBuf = Buffer.from(PROXY_SECRET, "utf8");
+  if (presentedBuf.length === secretBuf.length && crypto.timingSafeEqual(presentedBuf, secretBuf)) return null;
+
+  // Accept in-memory credentials (synced from Pi's OAuth store)
+  if (proxyCredentials?.apiKey) {
+    const credBuf = Buffer.from(proxyCredentials.apiKey, "utf8");
+    if (presentedBuf.length === credBuf.length && crypto.timingSafeEqual(presentedBuf, credBuf)) return null;
+  }
+  // Accept persisted apiKey from disk (set by standalone CLI)
+  try {
+    const creds = loadCredentials();
+    if (creds?.apiKey && creds.apiKey !== proxyCredentials?.apiKey) {
+      const credBuf = Buffer.from(creds.apiKey, "utf8");
+      if (presentedBuf.length === credBuf.length && crypto.timingSafeEqual(presentedBuf, credBuf)) return null;
+    }
+  } catch {}
+
+  return { status: 401, body: JSON.stringify({ error: { message: "Unauthorized: Invalid Bearer token.", type: "windsurf_error" } }), contentType: "application/json" };
+}
+
+function getBody(req: IncomingMessage): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    req.on("data", c => chunks.push(Buffer.from(c)));
+    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    req.on("error", reject);
+  });
+}
+
+async function handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
+  try {
+    const url = new URL(req.url ?? "/", `http://${WINDSURF_PROXY_HOST}`);
+
+    // /health — unauthenticated
+    if (url.pathname === "/health") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ ok: true }));
+      return;
+    }
+
+    // Auth gate for everything else
+    const authErr = await authorizeRequest(req);
+    if (authErr) {
+      res.writeHead(authErr.status, { "Content-Type": authErr.contentType });
+      res.end(authErr.body);
+      return;
+    }
+
+    // /v1/models
+    if (url.pathname === "/v1/models" || url.pathname === "/models") {
+      const modelIds = getCanonicalModels();
+      const data = modelIds.map(id => ({ id, object: "model", created: Math.floor(Date.now() / 1000), owned_by: "windsurf" }));
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ object: "list", data }));
+      return;
+    }
+
+    // /v1/chat/completions
+    if (url.pathname === "/v1/chat/completions" || url.pathname === "/chat/completions") {
+      if (req.method !== "POST") {
+        res.writeHead(405, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: { message: "Method not allowed; use POST.", type: "windsurf_error" } }));
+        return;
+      }
+
+      const rawBody = await getBody(req);
+      let requestBody: ChatCompletionRequest;
+      try { requestBody = JSON.parse(rawBody); }
+      catch { res.writeHead(400, { "Content-Type": "application/json" }); res.end(JSON.stringify({ error: { message: "Malformed JSON." } })); return; }
+
+      if (!requestBody.messages || !Array.isArray(requestBody.messages)) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: { message: "messages must be an array." } }));
+        return;
+      }
+
+      const diskCreds = loadCredentials();
+      const creds = diskCreds ?? proxyCredentials;
+      if (!creds) {
+        res.writeHead(503, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: { message: "Not authenticated. Run /login windsurf first." } }));
+        return;
+      }
+
+      const requestedModel = requestBody.model || getDefaultModel();
+      const variantOverride = extractVariantFromProviderOptions(requestBody.providerOptions);
+      const resolved = resolveModelOrPassthrough(requestedModel + (variantOverride ? `:${variantOverride}` : ""));
+
+      const tools: ToolDef[] = (requestBody.tools ?? []).map(t => ({
+        name: t.function?.name ?? "unknown",
+        description: t.function?.description ?? "",
+        parameters: t.function?.parameters ?? {},
+      }));
+
+      const multimodalMessages: ChatHistoryItem[] = requestBody.messages.map(m => mapMessageToHistoryItem(m));
+      const requestedMaxTokens = typeof requestBody.max_tokens === "number" && requestBody.max_tokens > 0 ? requestBody.max_tokens : 128_000;
+      const isStreaming = requestBody.stream !== false;
+
+      if (isStreaming) {
+        // SSE streaming response
+        res.writeHead(200, {
+          "Content-Type": "text/event-stream",
+          "Cache-Control": "no-cache",
+          "Connection": "keep-alive",
+        });
+
+        const responseId = `chatcmpl-${crypto.randomUUID()}`;
+        const abort = new AbortController();
+        req.on("close", () => { if (!res.writableEnded) abort.abort(); });
+
+        try {
+          let firstChunkSent = false;
+          let toolCallIndex = -1;
+          const toolIdToIndex = new Map<string, number>();
+          let lastToolCallId: string | undefined;
+          let finishReason: "stop" | "tool_calls" | "length" | "content_filter" | null = null;
+          let usage: { promptTokens?: number; completionTokens?: number; totalTokens?: number } | null = null;
+
+          for await (const ev of streamChatEvents({
+            apiKey: creds.apiKey,
+            apiServerUrl: creds.apiServerUrl,
+            modelUid: resolved.modelUid,
+            messages: multimodalMessages,
+            tools: tools.length > 0 ? tools : undefined,
+            signal: abort.signal,
+            completionOpts: { maxOutputTokens: requestedMaxTokens },
+          })) {
+            const role = firstChunkSent ? undefined : "assistant";
+
+            if (ev.kind === "text") {
+              const chunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [{ index: 0, delta: role ? { role, content: ev.text } : { content: ev.text }, finish_reason: null }] };
+              res.write(`data: ${JSON.stringify(chunk)}\n\n`);
+              firstChunkSent = true;
+            } else if (ev.kind === "reasoning") {
+              const chunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [{ index: 0, delta: role ? { role, reasoning: ev.text } : { reasoning: ev.text }, finish_reason: null }] };
+              res.write(`data: ${JSON.stringify(chunk)}\n\n`);
+              firstChunkSent = true;
+            } else if (ev.kind === "tool_call_start") {
+              toolCallIndex += 1;
+              toolIdToIndex.set(ev.id, toolCallIndex);
+              lastToolCallId = ev.id;
+              const baseDelta = { tool_calls: [{ index: toolCallIndex, id: ev.id, type: "function", function: { name: ev.name, arguments: "" } }] };
+              const delta = firstChunkSent ? baseDelta : { role: "assistant", ...baseDelta };
+              const chunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [{ index: 0, delta, finish_reason: null }] };
+              res.write(`data: ${JSON.stringify(chunk)}\n\n`);
+              firstChunkSent = true;
+            } else if (ev.kind === "tool_call_args") {
+              if (lastToolCallId === undefined || toolCallIndex < 0) continue;
+              const routeKey = ev.id ?? lastToolCallId;
+              const idx = toolIdToIndex.get(routeKey) ?? toolCallIndex;
+              const chunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [{ index: 0, delta: { tool_calls: [{ index: idx, function: { arguments: ev.argsDelta } }] }, finish_reason: null }] };
+              res.write(`data: ${JSON.stringify(chunk)}\n\n`);
+            } else if (ev.kind === "finish") {
+              finishReason = ev.reason;
+            } else if (ev.kind === "usage") {
+              usage = { promptTokens: ev.promptTokens, completionTokens: ev.completionTokens, totalTokens: ev.totalTokens };
+            }
+          }
+
+          const finalReason = finishReason ?? (toolCallIndex >= 0 ? "tool_calls" : "stop");
+          const finishChunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [{ index: 0, delta: {}, finish_reason: finalReason }] };
+          res.write(`data: ${JSON.stringify(finishChunk)}\n\n`);
+
+          if (usage) {
+            const usageChunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [], usage: { prompt_tokens: usage.promptTokens ?? 0, completion_tokens: usage.completionTokens ?? 0, total_tokens: usage.totalTokens ?? 0 } };
+            res.write(`data: ${JSON.stringify(usageChunk)}\n\n`);
+          }
+          res.write("data: [DONE]\n\n");
+          res.end();
+        } catch (error) {
+          const errorMessage = error instanceof Error ? error.message : "Unknown error";
+          try {
+            res.write(`data: ${JSON.stringify({ error: { message: errorMessage } })}\n\n`);
+            const fChunk = { id: responseId, object: "chat.completion.chunk", created: Math.floor(Date.now() / 1000), model: requestedModel, choices: [{ index: 0, delta: {}, finish_reason: "stop" }] };
+            res.write(`data: ${JSON.stringify(fChunk)}\n\n`);
+            res.write("data: [DONE]\n\n");
+            res.end();
+          } catch { /* socket dead */ }
+        }
+      } else {
+        // Non-streaming response
+        let collected = "";
+        let finishReason: "stop" | "tool_calls" | "length" | "content_filter" = "stop";
+        let usage: { promptTokens?: number; completionTokens?: number; totalTokens?: number } | null = null;
+        type CollectedToolCall = { id: string; name: string; args: string };
+        const collectedToolCalls: CollectedToolCall[] = [];
+        let currentToolCall: CollectedToolCall | null = null;
+
+        const abort = new AbortController();
+        for await (const ev of streamChatEvents({
+          apiKey: creds.apiKey,
+          apiServerUrl: creds.apiServerUrl,
+          modelUid: resolved.modelUid,
+          messages: multimodalMessages,
+          tools: tools.length > 0 ? tools : undefined,
+          completionOpts: { maxOutputTokens: requestedMaxTokens },
+          signal: abort.signal,
+        })) {
+          if (ev.kind === "text") collected += ev.text;
+          else if (ev.kind === "tool_call_start") { currentToolCall = { id: ev.id, name: ev.name, args: "" }; collectedToolCalls.push(currentToolCall); }
+          else if (ev.kind === "tool_call_args") { if (currentToolCall) currentToolCall.args += ev.argsDelta; }
+          else if (ev.kind === "finish") finishReason = ev.reason;
+          else if (ev.kind === "usage") usage = { promptTokens: ev.promptTokens, completionTokens: ev.completionTokens, totalTokens: ev.totalTokens };
+        }
+        if (collectedToolCalls.length > 0 && finishReason === "stop") finishReason = "tool_calls";
+
+        const assistantMessage = collectedToolCalls.length > 0
+          ? { role: "assistant" as const, content: collected, tool_calls: collectedToolCalls.map(tc => ({ id: tc.id, type: "function" as const, function: { name: tc.name, arguments: tc.args } })) }
+          : { role: "assistant" as const, content: collected };
+
+        const resp = {
+          id: `chatcmpl-${crypto.randomUUID()}`,
+          object: "chat.completion",
+          created: Math.floor(Date.now() / 1000),
+          model: requestedModel,
+          choices: [{ index: 0, message: assistantMessage, finish_reason: finishReason }],
+          ...(usage ? { usage: { prompt_tokens: usage.promptTokens ?? 0, completion_tokens: usage.completionTokens ?? 0, total_tokens: usage.totalTokens ?? 0 } } : {}),
+        };
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(resp));
+      }
+      return;
+    }
+
+    res.writeHead(404, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: { message: `Unsupported path: ${url.pathname}` } }));
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    try {
+      res.writeHead(500, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: { message } }));
+    } catch {}
+  }
+}
+
+// ----------------------------------------------------------------------------
+// Server startup
+// ----------------------------------------------------------------------------
+
+let serverInstance: ReturnType<typeof createServer> | null = null;
+
+export function startProxy(port: number = WINDSURF_PROXY_PORT): Promise<number> {
+  if (serverInstance) return Promise.resolve((serverInstance.address() as { port: number }).port);
+
+  return new Promise((resolve, reject) => {
+    const srv = createServer(handleRequest);
+    srv.on("error", (err: NodeJS.ErrnoException) => {
+      if (err.code === "EADDRINUSE") {
+        // Try fallback port
+        srv.listen(0, WINDSURF_PROXY_HOST, () => {
+          const addr = srv.address() as { port: number };
+          serverInstance = srv;
+          resolve(addr.port);
+        });
+        return;
+      }
+      reject(err);
+    });
+    srv.listen(port, WINDSURF_PROXY_HOST, () => {
+      serverInstance = srv;
+      const addr = srv.address() as { port: number };
+      resolve(addr.port);
+    });
+  });
+}
+
+export function stopProxy(): void {
+  if (serverInstance) {
+    try { serverInstance.close(); } catch {}
+    serverInstance = null;
+  }
+}