npm - pikiloom - Versions diffs - 0.4.13 → 0.4.15 - Mend

pikiloom 0.4.13 → 0.4.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/dashboard/dist/assets/AgentTab-CKoy_-w4.js +1 -0
package/dashboard/dist/assets/{DirBrowser-Du91b-sn.js → DirBrowser-DpbuN0OL.js} +1 -1
package/dashboard/dist/assets/{ExtensionsTab-CV0rbtj2.js → ExtensionsTab-ymr7K8dU.js} +1 -1
package/dashboard/dist/assets/{IMAccessTab-BevAFdq9.js → IMAccessTab-CaTtCn3l.js} +1 -1
package/dashboard/dist/assets/{Modal-DK1MkhKX.js → Modal-DA-9kJxp.js} +1 -1
package/dashboard/dist/assets/Modals-BkLIRnNK.js +1 -0
package/dashboard/dist/assets/Select-B0pZtuzF.js +1 -0
package/dashboard/dist/assets/SessionPanel-CYQtZZNX.js +1 -0
package/dashboard/dist/assets/{SystemTab-jafqMUsq.js → SystemTab-B9TcGMzc.js} +1 -1
package/dashboard/dist/assets/codex-C6EwIzap.png +0 -0
package/dashboard/dist/assets/deepseek-DOQzDJ-4.ico +0 -0
package/dashboard/dist/assets/hermes-ClPe1RPI.png +0 -0
package/dashboard/dist/assets/index-BCYshErN.js +3 -0
package/dashboard/dist/assets/index-C5irxzzD.js +23 -0
package/dashboard/dist/assets/logo-wordmark-B0Z6VgSZ.png +0 -0
package/dashboard/dist/assets/logo-wordmark-light-D9FCWeOH.png +0 -0
package/dashboard/dist/assets/playwright-GP3HuCap.ico +0 -0
package/dashboard/dist/assets/qwen-DKVAROae.png +0 -0
package/dashboard/dist/assets/shared-i_XUH0xm.js +1 -0
package/dashboard/dist/index.html +1 -1
package/dashboard/dist/logo.png +0 -0
package/dist/agent/auto-update.js +99 -4
package/dist/agent/drivers/claude.js +6 -26
package/dist/agent/drivers/codex.js +4 -26
package/dist/agent/drivers/gemini.js +4 -26
package/dist/agent/drivers/hermes.js +4 -26
package/dist/agent/index.js +1 -1
package/dist/agent/mcp/bridge.js +53 -2
package/dist/agent/session.js +16 -3
package/dist/agent/stream.js +37 -3
package/dist/bot/bot.js +18 -5
package/dist/channels/telegram/bot.js +2 -2
package/dist/channels/telegram/render.js +47 -1
package/dist/core/constants.js +8 -0
package/dist/dashboard/routes/extensions.js +6 -0
package/dist/dashboard/routes/models.js +9 -1
package/dist/dashboard/routes/sessions.js +25 -0
package/dist/dashboard/server.js +8 -0
package/dist/model/index.js +1 -1
package/dist/model/injector.js +209 -28
package/dist/model/responses-bridge.js +407 -0
package/package.json +1 -1
package/dashboard/dist/assets/AgentTab-DJ2MSY9m.js +0 -1
package/dashboard/dist/assets/Modals-UEF0H1UN.js +0 -1
package/dashboard/dist/assets/Select-YrnugZXH.js +0 -1
package/dashboard/dist/assets/SessionPanel-DbSdD2Jt.js +0 -1
package/dashboard/dist/assets/codex-DYadqqp0.png +0 -0
package/dashboard/dist/assets/deepseek-BeYNZEk0.ico +0 -0
package/dashboard/dist/assets/hermes-BAarh-tH.png +0 -0
package/dashboard/dist/assets/index-BnTrNACS.js +0 -23
package/dashboard/dist/assets/index-SkDflrDp.js +0 -3
package/dashboard/dist/assets/logo-wordmark-FzeBAUsd.png +0 -0
package/dashboard/dist/assets/logo-wordmark-light-snSpARTN.png +0 -0
package/dashboard/dist/assets/playwright-BldPFZgC.ico +0 -0
package/dashboard/dist/assets/qwen-xykkX0_y.png +0 -0
package/dashboard/dist/assets/shared-BpcXDkDP.js +0 -1

package/dist/model/injector.js CHANGED Viewed

@@ -7,8 +7,10 @@
  * = adding one entry to AGENT_INJECT_TABLE.
  */
 import { resolveCredential } from '../core/secrets/index.js';
+import { writeScopedLog } from '../core/logging.js';
 import { getActiveProfile, getProvider } from './store.js';
 import { peekProviderModelInfo, prefetchProviderModels } from './provider-models.js';
+import { ensureResponsesBridge, upstreamToken } from './responses-bridge.js';
 const EMPTY = { env: {}, argvAppend: [], detail: '' };
 // ---------------------------------------------------------------------------
 // Shared host-based provider identification
@@ -53,7 +55,13 @@ function providerSlug(provider) {
         return 'doubao';
     if (host.includes('openrouter'))
         return 'openrouter';
-    return 'openrouter';
+    // Unknown host: derive a stable slug from the hostname's leading label. (The
+    // old `return 'openrouter'` fallback mis-slugged every unrecognised provider —
+    // including localhost Ollama — as openrouter.) This never collides with
+    // codex's reserved built-in `openai`/`oss`/`ollama` ids, which are routed
+    // before we ever reach providerSlug.
+    const label = host.replace(/:\d+$/, '').replace(/^(www|api)\./, '').split('.')[0].replace(/[^a-z0-9]+/g, '-').replace(/^-+|-+$/g, '');
+    return label || 'byok';
 }
 /**
  * Canonical env-var name(s) carrying the credential for a provider. Returned
@@ -152,6 +160,24 @@ function claudeAnthropicBaseURL(provider) {
     }
     return raw.replace(/\/v1$/, '');
 }
+/**
+ * First-party Anthropic = the official API host (`api.anthropic.com` / any
+ * `*.anthropic.com`). A Claude route counts as "direct" when it lands here —
+ * both the subscription path and an own-key BYOK profile pointed at
+ * api.anthropic.com. Everything else (OpenRouter, DeepSeek, domestic series, a
+ * self-hosted relay, localhost) is a third-party proxy. Unparseable → treat as
+ * proxy (safe default: suppressing attribution is harmless, churning isn't).
+ */
+function isFirstPartyAnthropic(baseURL) {
+    let host;
+    try {
+        host = new URL(baseURL).hostname.toLowerCase();
+    }
+    catch {
+        return false;
+    }
+    return host === 'anthropic.com' || host.endsWith('.anthropic.com');
+}
 /**
  * Claude Code respects `ANTHROPIC_BASE_URL` + `ANTHROPIC_API_KEY` (or
  * `ANTHROPIC_AUTH_TOKEN`) as a BYOK route. The CLI itself is unchanged.
@@ -170,50 +196,200 @@ const claudeInjector = (provider, profile, apiKey) => {
             detail: `Claude BYOK requires Anthropic or OpenAI-compatible (Anthropic-API-shaped) provider; got ${provider.kind}.`,
         };
     }
+    const baseURL = claudeAnthropicBaseURL(provider);
+    const env = {
+        ANTHROPIC_BASE_URL: baseURL,
+        ANTHROPIC_API_KEY: apiKey,
+        ANTHROPIC_AUTH_TOKEN: apiKey,
+    };
+    // Claude Code >= 2.1.36 stamps a per-request `x-anthropic-billing-header`
+    // (cc_version / cc_entrypoint / cch=… — the cch token churns every turn).
+    // Third-party proxies (OpenRouter, DeepSeek /anthropic, domestic series, any
+    // OpenAI-compat or self-hosted Anthropic-shaped front) often key their
+    // prefix/KV cache on request headers, so the churn forces a full prompt
+    // reprocess every turn — slow and expensive. `0` makes claude omit the header
+    // (env-bool: 0/false/no/off). Only on proxy routes: first-party Anthropic
+    // (api.anthropic.com — subscription OR own-key direct) is left exactly as
+    // shipped; its cache is content/breakpoint based, so attribution is irrelevant
+    // there and we don't touch it.
+    if (!isFirstPartyAnthropic(baseURL)) {
+        env.CLAUDE_CODE_ATTRIBUTION_HEADER = '0';
+    }
     return {
-        env: {
-            ANTHROPIC_BASE_URL: claudeAnthropicBaseURL(provider),
-            ANTHROPIC_API_KEY: apiKey,
-            ANTHROPIC_AUTH_TOKEN: apiKey,
-        },
+        env,
         argvAppend: [],
         modelOverride: profile.modelId,
         detail: `Claude BYOK → ${provider.name} / ${profile.modelId}`,
     };
 };
+function providerHostname(provider) {
+    try {
+        return new URL(provider.baseURL).hostname.toLowerCase();
+    }
+    catch {
+        return '';
+    }
+}
+/** True for localhost endpoints (Ollama / LM Studio / llama.cpp). */
+function isLocalProvider(provider) {
+    const h = providerHostname(provider);
+    return h === 'localhost' || h === '127.0.0.1' || h === '0.0.0.0' || h === '::1';
+}
+/** Providers that natively implement the OpenAI Responses API (codex talks to them directly). */
+function isResponsesNativeProvider(provider) {
+    return providerHost(provider).includes('openrouter');
+}
+/** codex's built-in local provider id for a localhost endpoint. */
+function codexLocalProvider(provider) {
+    let port = '';
+    try {
+        port = new URL(provider.baseURL).port;
+    }
+    catch { /* ignore */ }
+    if (port === '1234' || /lm\s*studio/i.test(provider.name))
+        return 'lmstudio';
+    return 'ollama';
+}
+/** Ollama keeps a prewarmed model resident for this long (its `keep_alive`). */
+const PREWARM_KEEP_ALIVE = '30m';
+/**
+ * Warm a localhost model backend so the user's first real turn doesn't pay the
+ * model cold-load (weights → memory). Fire-and-forget: never blocks the caller,
+ * never throws.
+ *
+ *  - Ollama has a native load endpoint — `POST /api/generate {model, keep_alive}`
+ *    with no prompt loads the weights and returns immediately; `keep_alive`
+ *    keeps them resident across the seed + real turns of a session.
+ *  - LM Studio JIT-loads on first request, so we nudge it with a 1-token
+ *    completion against its OpenAI-compatible endpoint.
+ *
+ * Called when a local Profile is bound (warm while the user reads / types) and
+ * again at spawn (re-assert keep_alive). Measured: a cold gemma3:4b spent ~12s
+ * before its first token; prewarmed, generation starts in ~2s.
+ */
+export function prewarmLocalModel(provider, modelId) {
+    if (!modelId || !isLocalProvider(provider))
+        return;
+    let origin;
+    try {
+        origin = new URL(provider.baseURL).origin;
+    }
+    catch {
+        return;
+    }
+    const swallow = () => { };
+    if (codexLocalProvider(provider) === 'lmstudio') {
+        void fetch(`${origin}/v1/chat/completions`, {
+            method: 'POST', headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ model: modelId, max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }),
+        }).then(swallow, swallow);
+        return;
+    }
+    void fetch(`${origin}/api/generate`, {
+        method: 'POST', headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ model: modelId, keep_alive: PREWARM_KEEP_ALIVE }),
+    }).then(r => { writeScopedLog('model-prewarm', `ollama load ${modelId} → ${r.status}`); }, e => { writeScopedLog('model-prewarm', `ollama load ${modelId} failed: ${e?.message || e}`, { level: 'warn', stream: 'stderr' }); });
+}
+/**
+ * Decide how codex should reach a provider. Codex 0.140+ speaks ONLY the
+ * Responses API, so the route depends on what the provider implements:
+ *   openai-native   genuine OpenAI            → built-in `openai` provider
+ *   local-oss       localhost Ollama/LMStudio → built-in `ollama`/`lmstudio` (responses)
+ *   responses-native OpenRouter, …            → custom provider, responses direct
+ *   bridge          chat-only (DeepSeek, Kimi, MiniMax, 豆包, Qwen, Zhipu, …)
+ *                                             → local Responses↔Chat bridge
+ */
+function codexRoute(provider) {
+    if (provider.kind === 'openai')
+        return 'openai-native';
+    if (isLocalProvider(provider))
+        return 'local-oss';
+    if (isResponsesNativeProvider(provider))
+        return 'responses-native';
+    return 'bridge';
+}
 /**
- * Codex CLI honours `model_providers.<slug>` definitions in `config.toml`.
- * Setting `OPENAI_BASE_URL` alone is not enough — Codex still routes through
- * the default `openai` provider's auth flow. The robust path is to declare a
- * one-shot `model_providers.<slug>` via `-c` overrides and bind it via
- * `model_provider="<slug>"`. The credential lives in the env var named by
- * `env_key`, picked host-aware (e.g. `OPENROUTER_API_KEY` for openrouter.ai).
+ * Codex CLI honours `model_providers.<slug>` definitions in `config.toml` and
+ * binds the active one via `model_provider="<slug>"`. The credential lives in
+ * the env var named by `env_key`, picked host-aware (e.g. `DEEPSEEK_API_KEY`).
  *
- * Note on `wire_api`: codex 0.130 dropped `"chat"` ("no longer supported"); we
- * omit the field entirely so codex picks its current default (`responses`),
- * which OpenRouter and other major OpenAI-compatible providers accept.
+ * Codex 0.140+ dropped Chat Completions (`wire_api = "chat"` is rejected at
+ * config load) — it speaks ONLY the Responses API. So this injector routes per
+ * `codexRoute()`: responses-capable providers (OpenAI, OpenRouter, local
+ * Ollama/LM Studio) are reached directly with the default `responses` wire;
+ * chat-only providers (DeepSeek and the domestic series) are routed through the
+ * in-process Responses↔Chat bridge, which codex sees as just another
+ * responses-speaking provider on localhost.
  */
-const codexInjector = (provider, profile, apiKey) => {
+const codexInjector = async (provider, profile, apiKey) => {
     if (provider.kind !== 'openai' && provider.kind !== 'openai-compatible') {
         return {
             ...EMPTY,
-            detail: `Codex BYOK requires OpenAI-compatible provider; got ${provider.kind}.`,
+            detail: `Codex BYOK requires an OpenAI-compatible provider; got ${provider.kind}.`,
+        };
+    }
+    const model = profile.modelId;
+    const route = codexRoute(provider);
+    // Local Ollama / LM Studio: codex's built-in provider already speaks the
+    // Responses API to the local server. Just select it — no custom provider, no
+    // API key. (Defining `model_providers.<built-in>` is rejected: "Built-in
+    // providers cannot be overridden.")
+    if (route === 'local-oss') {
+        const local = codexLocalProvider(provider);
+        prewarmLocalModel(provider, model);
+        return {
+            env: {}, argvAppend: [],
+            codexConfigOverrides: [`model_provider="${local}"`],
+            modelOverride: model,
+            detail: `Codex local → ${provider.name} / ${model} (built-in ${local}, responses)`,
+        };
+    }
+    // Genuine OpenAI: use the built-in `openai` provider; inject the key (+ base).
+    if (route === 'openai-native') {
+        const env = { OPENAI_API_KEY: apiKey };
+        if (provider.baseURL)
+            env.OPENAI_BASE_URL = provider.baseURL;
+        return {
+            env, argvAppend: [],
+            codexConfigOverrides: ['model_provider="openai"'],
+            modelOverride: model,
+            detail: `Codex BYOK → OpenAI / ${model}`,
         };
     }
     const slug = providerSlug(provider);
     const envKey = codexEnvKey(provider);
-    const overrides = [
-        `model_providers.${slug}.name="${tomlEscape(provider.name)}"`,
-        `model_providers.${slug}.base_url="${tomlEscape(provider.baseURL)}"`,
-        `model_providers.${slug}.env_key="${envKey}"`,
-        `model_provider="${slug}"`,
-    ];
+    // Chat-only providers: route through the local Responses↔Chat bridge. Codex
+    // forwards `Authorization: Bearer <key>` (from env_key) to the bridge, which
+    // relays it to the upstream chat endpoint — the bridge never stores secrets.
+    if (route === 'bridge') {
+        const port = await ensureResponsesBridge();
+        const base = `http://127.0.0.1:${port}/u/${upstreamToken(provider.baseURL)}`;
+        return {
+            env: { [envKey]: apiKey },
+            argvAppend: [],
+            codexConfigOverrides: [
+                `model_providers.${slug}.name="${tomlEscape(provider.name)}"`,
+                `model_providers.${slug}.base_url="${tomlEscape(base)}"`,
+                `model_providers.${slug}.env_key="${envKey}"`,
+                `model_provider="${slug}"`,
+            ],
+            modelOverride: model,
+            detail: `Codex BYOK → ${provider.name} / ${model} via Responses↔Chat bridge (provider=${slug})`,
+        };
+    }
+    // responses-native (OpenRouter, …): point codex straight at the provider's
+    // Responses endpoint (wire_api omitted ⇒ codex default `responses`).
     return {
         env: { [envKey]: apiKey },
         argvAppend: [],
-        codexConfigOverrides: overrides,
-        modelOverride: profile.modelId,
-        detail: `Codex BYOK → ${provider.name} / ${profile.modelId} (provider=${slug})`,
+        codexConfigOverrides: [
+            `model_providers.${slug}.name="${tomlEscape(provider.name)}"`,
+            `model_providers.${slug}.base_url="${tomlEscape(provider.baseURL)}"`,
+            `model_providers.${slug}.env_key="${envKey}"`,
+            `model_provider="${slug}"`,
+        ],
+        modelOverride: model,
+        detail: `Codex BYOK → ${provider.name} / ${model} (provider=${slug}, native responses)`,
     };
 };
 /** Gemini CLI accepts `GEMINI_API_KEY` but does not allow custom baseURL. */
@@ -289,12 +465,17 @@ export async function resolveAgentInjection(agentId) {
     const injector = AGENT_INJECT_TABLE[agentId];
     if (!injector)
         return null;
-    let apiKey;
+    // Local providers (Ollama / LM Studio / llama.cpp) need no credential — codex
+    // reaches them via its built-in localhost provider with no auth. Don't let a
+    // missing/placeholder key block an otherwise-valid local binding.
+    let apiKey = '';
     try {
         apiKey = await resolveCredential(provider.credential);
     }
     catch (e) {
-        throw new Error(`Failed to resolve credential for ${provider.name}: ${e?.message || e}`);
+        if (!isLocalProvider(provider)) {
+            throw new Error(`Failed to resolve credential for ${provider.name}: ${e?.message || e}`);
+        }
     }
     const result = await injector(provider, profile, apiKey);
     // Attach the provider display name so renders can surface "via <provider>"