upfynai-code 2.2.0 → 2.4.0

package/server/relay-client.js

@@ -17,19 +17,27 @@ import path from 'path';
 import { spawn } from 'child_process';
 import { promises as fsPromises } from 'fs';
 import crypto from 'crypto';
+import {
+  c,
+  showConnectStartup,
+  showConnectionBanner,
+  logRelayEvent,
+  createSpinner,
+} from './cli-ui.js';
+
+// Load package.json for version
+import { fileURLToPath } from 'url';
+const __filename_rc = fileURLToPath(import.meta.url);
+const __dirname_rc = path.dirname(__filename_rc);
+let VERSION = '0.0.0';
+try {
+  const pkg = JSON.parse(fs.readFileSync(path.join(__dirname_rc, '../package.json'), 'utf8'));
+  VERSION = pkg.version;
+} catch { /* ignore */ }
 
 const CONFIG_DIR = path.join(os.homedir(), '.upfynai');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
 
-// ANSI colors
-const c = {
-  green: (t) => `\x1b[32m${t}\x1b[0m`,
-  red: (t) => `\x1b[31m${t}\x1b[0m`,
-  cyan: (t) => `\x1b[36m${t}\x1b[0m`,
-  dim: (t) => `\x1b[2m${t}\x1b[0m`,
-  bold: (t) => `\x1b[1m${t}\x1b[0m`,
-};
-
 function loadConfig() {
   try {
     if (fs.existsSync(CONFIG_FILE)) {
@@ -90,11 +98,9 @@ async function handleRelayCommand(data, ws) {
   try {
     switch (action) {
       case 'claude-query': {
-        // Run Claude via local Agent SDK / CLI
         const { command, options } = data;
-        console.log(c.cyan(`[RELAY] Claude query: ${command?.slice(0, 80)}...`));
+        logRelayEvent('>', `Claude query: ${command?.slice(0, 60)}...`, 'cyan');
 
-        // Use claude CLI for the query
         const args = ['--print'];
         if (options?.projectPath) args.push('--cwd', options.projectPath);
         if (options?.sessionId) args.push('--continue', options.sessionId);
@@ -133,7 +139,11 @@ async function handleRelayCommand(data, ws) {
 
       case 'shell-command': {
         const { command: cmd, cwd } = data;
-        console.log(c.dim(`[RELAY] Shell: ${cmd?.slice(0, 60)}`));
+        // Block dangerous shell patterns
+        if (!cmd || typeof cmd !== 'string') throw new Error('Invalid command');
+        const dangerous = ['rm -rf /', 'mkfs', 'dd if=', ':(){', 'fork bomb', '> /dev/sd'];
+        if (dangerous.some(d => cmd.includes(d))) throw new Error('Command blocked for safety');
+        logRelayEvent('$', `Shell: ${cmd?.slice(0, 50)}`, 'dim');
         const result = await execCommand(cmd, [], { cwd: cwd || os.homedir(), timeout: 60000 });
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { stdout: result } }));
         break;
@@ -141,14 +151,26 @@ async function handleRelayCommand(data, ws) {
 
       case 'file-read': {
         const { filePath } = data;
-        const content = await fsPromises.readFile(filePath, 'utf8');
+        if (!filePath || typeof filePath !== 'string') throw new Error('Invalid file path');
+        // Block reading sensitive system files
+        const normalizedPath = path.resolve(filePath);
+        const blocked = ['/etc/shadow', '/etc/passwd', '.ssh/id_rsa', '.env'];
+        if (blocked.some(b => normalizedPath.includes(b))) throw new Error('Access denied');
+        logRelayEvent('R', `Read: ${filePath}`, 'dim');
+        const content = await fsPromises.readFile(normalizedPath, 'utf8');
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { content } }));
         break;
       }
 
       case 'file-write': {
         const { filePath: fp, content: fileContent } = data;
-        await fsPromises.writeFile(fp, fileContent, 'utf8');
+        if (!fp || typeof fp !== 'string') throw new Error('Invalid file path');
+        // Block writing to sensitive locations
+        const normalizedFp = path.resolve(fp);
+        const blockedDirs = ['/etc/', '/usr/bin/', '/usr/sbin/', 'System32', '.ssh/'];
+        if (blockedDirs.some(d => normalizedFp.includes(d))) throw new Error('Access denied');
+        logRelayEvent('W', `Write: ${fp}`, 'dim');
+        await fsPromises.writeFile(normalizedFp, fileContent, 'utf8');
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { success: true } }));
         break;
       }
@@ -162,7 +184,7 @@ async function handleRelayCommand(data, ws) {
 
       case 'git-operation': {
         const { gitCommand, cwd: gitCwd } = data;
-        console.log(c.dim(`[RELAY] Git: ${gitCommand}`));
+        logRelayEvent('G', `Git: ${gitCommand}`, 'dim');
         const result = await execCommand('git', [gitCommand], { cwd: gitCwd });
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { stdout: result } }));
         break;
@@ -192,7 +214,7 @@ async function buildFileTree(dirPath, maxDepth, currentDepth = 0) {
   try {
     const entries = await fsPromises.readdir(dirPath, { withFileTypes: true });
     const items = [];
-    for (const entry of entries.slice(0, 100)) { // Limit to 100 entries
+    for (const entry of entries.slice(0, 100)) {
       if (entry.name.startsWith('.') || entry.name === 'node_modules') continue;
       const item = { name: entry.name, type: entry.isDirectory() ? 'directory' : 'file' };
       if (entry.isDirectory() && currentDepth < maxDepth - 1) {
@@ -207,7 +229,22 @@ async function buildFileTree(dirPath, maxDepth, currentDepth = 0) {
 }
 
 /**
- * Main connect function
+ * Create WebSocket connection with optional API key in handshake
+ */
+function createRelayConnection(wsUrl, config = {}) {
+  const headers = {};
+  // Send API key in WebSocket headers if available
+  if (config.anthropicApiKey) {
+    headers['x-anthropic-api-key'] = config.anthropicApiKey;
+  }
+  headers['x-upfyn-version'] = VERSION;
+  headers['x-upfyn-machine'] = os.hostname();
+
+  return new WebSocket(wsUrl, { headers });
+}
+
+/**
+ * Main connect function (interactive — with animation and logging)
  */
 export async function connectToServer(options = {}) {
   const config = loadConfig();
@@ -215,43 +252,44 @@ export async function connectToServer(options = {}) {
   const relayKey = options.key || config.relayKey;
 
   if (!relayKey) {
-    console.error(c.red('No relay key provided.'));
-    console.log('Generate a relay token from Settings > Relay Tokens in the web UI.');
-    console.log(`Then run: ${c.cyan('upfynai-code connect --key upfyn_your_token_here')}`);
+    console.log('');
+    console.log(`  ${c.red('FAIL')} No relay key provided.`);
+    console.log('');
+    console.log(`  ${c.gray('Get your relay token from the web UI:')}`);
+    console.log(`  ${c.dim('1.')} Sign in at ${c.cyan('https://cli.upfyn.com')}`);
+    console.log(`  ${c.dim('2.')} Click ${c.bright('Connect')} button`);
+    console.log(`  ${c.dim('3.')} Copy the command and run it here`);
+    console.log('');
+    console.log(`  ${c.gray('Or run:')} ${c.bright('uc connect --server <url> --key upfyn_your_token')}`);
+    console.log('');
     process.exit(1);
   }
 
   // Save config for future use
   saveConfig({ ...config, server: serverUrl, relayKey });
 
+  // Show beautiful startup with rocket animation
+  await showConnectStartup(
+    serverUrl,
+    os.hostname(),
+    os.userInfo().username,
+    VERSION
+  );
+
   const wsUrl = serverUrl.replace(/^http/, 'ws') + '/relay?token=' + encodeURIComponent(relayKey);
 
-  console.log(c.bold('\n  Upfyn-Code Relay Client\n'));
-  console.log(`  Server: ${c.cyan(serverUrl)}`);
-  console.log(`  Machine: ${c.dim(os.hostname())}`);
-  console.log(`  User: ${c.dim(os.userInfo().username)}\n`);
+  const spinner = createSpinner('Connecting to server...');
+  spinner.start();
 
   let reconnectAttempts = 0;
   const MAX_RECONNECT = 10;
 
   function connect() {
-    const ws = new WebSocket(wsUrl);
+    const ws = createRelayConnection(wsUrl, config);
 
     ws.on('open', () => {
       reconnectAttempts = 0;
-      console.log(c.green('  Connected! Your local machine is now bridged to the server.'));
-      console.log(c.dim('  Press Ctrl+C to disconnect.\n'));
-
-      // Send heartbeat every 30 seconds
-      const heartbeat = setInterval(() => {
-        if (ws.readyState === 1) {
-          ws.send(JSON.stringify({ type: 'ping' }));
-        }
-      }, 30000);
-
-      ws.on('close', () => {
-        clearInterval(heartbeat);
-      });
+      // Don't stop spinner yet — wait for relay-connected message
     });
 
     ws.on('message', (rawMessage) => {
@@ -259,7 +297,12 @@ export async function connectToServer(options = {}) {
         const data = JSON.parse(rawMessage);
 
         if (data.type === 'relay-connected') {
-          console.log(c.green(`  ${data.message}`));
+          spinner.stop('Connected!');
+          // Extract username from message if possible
+          const nameMatch = data.message?.match(/Connected as (.+?)\./);
+          const username = nameMatch ? nameMatch[1] : 'Unknown';
+          showConnectionBanner(username, serverUrl);
+          logRelayEvent('*', 'Relay active -- waiting for commands...', 'green');
           return;
         }
 
@@ -271,44 +314,112 @@ export async function connectToServer(options = {}) {
         if (data.type === 'pong') return;
 
         if (data.type === 'error') {
-          console.error(c.red(`  Server error: ${data.error}`));
+          spinner.fail(`Server error: ${data.error}`);
           return;
         }
       } catch (e) {
-        console.error(c.red(`  Error: ${e.message}`));
+        logRelayEvent('!', `Parse error: ${e.message}`, 'red');
       }
     });
 
     ws.on('close', (code) => {
       if (code === 1000) {
-        console.log(c.dim('  Disconnected.'));
+        logRelayEvent('-', 'Disconnected gracefully.', 'dim');
         process.exit(0);
       }
 
       reconnectAttempts++;
       if (reconnectAttempts <= MAX_RECONNECT) {
         const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), 30000);
-        console.log(c.dim(`  Connection lost. Reconnecting in ${delay / 1000}s... (${reconnectAttempts}/${MAX_RECONNECT})`));
+        logRelayEvent('~', `Connection lost. Reconnecting in ${delay / 1000}s... (${reconnectAttempts}/${MAX_RECONNECT})`, 'yellow');
         setTimeout(connect, delay);
       } else {
-        console.error(c.red('  Max reconnection attempts reached. Exiting.'));
+        logRelayEvent('X', 'Max reconnection attempts reached. Exiting.', 'red');
         process.exit(1);
       }
     });
 
     ws.on('error', (err) => {
       if (err.code === 'ECONNREFUSED') {
-        console.error(c.red(`  Cannot reach ${serverUrl}. Is the server running?`));
+        spinner.fail(`Cannot reach ${serverUrl}. Is the server running?`);
       }
       // close handler will trigger reconnect
     });
+
+    // Heartbeat every 30 seconds
+    const heartbeat = setInterval(() => {
+      if (ws.readyState === 1) {
+        ws.send(JSON.stringify({ type: 'ping' }));
+      } else {
+        clearInterval(heartbeat);
+      }
+    }, 30000);
   }
 
   connect();
 
   // Graceful shutdown
   process.on('SIGINT', () => {
-    console.log(c.dim('\n  Disconnecting...'));
+    console.log('');
+    logRelayEvent('-', 'Disconnecting...', 'dim');
     process.exit(0);
   });
 }
+
+/**
+ * Background connect function (silent — used when uc launches Claude Code)
+ * Runs relay in the background without animation or user-facing output.
+ */
+export function connectToServerBackground(options = {}) {
+  const config = loadConfig();
+  const serverUrl = options.server || config.server;
+  const relayKey = options.key || config.relayKey;
+
+  if (!serverUrl || !relayKey) return;
+
+  const wsUrl = serverUrl.replace(/^http/, 'ws') + '/relay?token=' + encodeURIComponent(relayKey);
+
+  let reconnectAttempts = 0;
+  const MAX_RECONNECT = 5;
+
+  function connect() {
+    const ws = createRelayConnection(wsUrl, config);
+
+    ws.on('message', (rawMessage) => {
+      try {
+        const data = JSON.parse(rawMessage);
+        if (data.type === 'relay-command') {
+          handleRelayCommand(data, ws);
+        }
+      } catch { /* ignore */ }
+    });
+
+    ws.on('open', () => {
+      reconnectAttempts = 0;
+    });
+
+    ws.on('close', (code) => {
+      if (code === 1000) return;
+      reconnectAttempts++;
+      if (reconnectAttempts <= MAX_RECONNECT) {
+        const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), 30000);
+        setTimeout(connect, delay);
+      }
+    });
+
+    ws.on('error', () => {
+      // silent — close handler will reconnect
+    });
+
+    // Heartbeat
+    const heartbeat = setInterval(() => {
+      if (ws.readyState === 1) {
+        ws.send(JSON.stringify({ type: 'ping' }));
+      } else {
+        clearInterval(heartbeat);
+      }
+    }, 30000);
+  }
+
+  connect();
+}

package/server/routes/agent.js

@@ -4,15 +4,34 @@ import path from 'path';
 import os from 'os';
 import { promises as fs } from 'fs';
 import crypto from 'crypto';
-import { userDb, apiKeysDb, githubTokensDb } from '../database/db.js';
+import { userDb, apiKeysDb, githubTokensDb, credentialsDb } from '../database/db.js';
 import { addProjectManually } from '../projects.js';
 import { queryClaudeSDK } from '../claude-sdk.js';
 import { spawnCursor } from '../cursor-cli.js';
 import { queryCodex } from '../openai-codex.js';
 import { Octokit } from '@octokit/rest';
 import { CLAUDE_MODELS, CURSOR_MODELS, CODEX_MODELS } from '../../shared/modelConstants.js';
+import { queryOpenRouter, OPENROUTER_MODELS } from '../openrouter.js';
 import { IS_PLATFORM } from '../constants/config.js';
 
+// BYOK helper: get user's stored API key for a provider
+async function getUserProviderKey(userId, providerType) {
+    if (!userId) return null;
+    try {
+        const creds = await credentialsDb.getCredentials(userId, providerType);
+        const active = creds.find(c => c.is_active);
+        return active?.credential_value || null;
+    } catch { return null; }
+}
+
+async function withUserApiKey(envKey, userKey, fn) {
+    if (!userKey) return fn();
+    const prev = process.env[envKey];
+    process.env[envKey] = userKey;
+    try { return await fn(); }
+    finally { if (prev !== undefined) process.env[envKey] = prev; else delete process.env[envKey]; }
+}
+
 const router = express.Router();
 
 /**
@@ -939,17 +958,22 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       });
     }
 
-    // Start the appropriate session
+    // Start the appropriate session (with BYOK key injection where applicable)
+    const userId = req.user?.id;
+
     if (provider === 'claude') {
       console.log('🤖 Starting Claude SDK session');
-
-      await queryClaudeSDK(message.trim(), {
-        projectPath: finalProjectPath,
-        cwd: finalProjectPath,
-        sessionId: null, // New session
-        model: model,
-        permissionMode: 'bypassPermissions' // Bypass all permissions for API calls
-      }, writer);
+      const userKey = await getUserProviderKey(userId, 'anthropic_key');
+
+      await withUserApiKey('ANTHROPIC_API_KEY', userKey, () =>
+        queryClaudeSDK(message.trim(), {
+          projectPath: finalProjectPath,
+          cwd: finalProjectPath,
+          sessionId: null,
+          model: model,
+          permissionMode: 'bypassPermissions'
+        }, writer)
+      );
 
     } else if (provider === 'cursor') {
       console.log('🖱️ Starting Cursor CLI session');
@@ -957,19 +981,30 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       await spawnCursor(message.trim(), {
         projectPath: finalProjectPath,
         cwd: finalProjectPath,
-        sessionId: null, // New session
+        sessionId: null,
         model: model || undefined,
-        skipPermissions: true // Bypass permissions for Cursor
+        skipPermissions: true
       }, writer);
     } else if (provider === 'codex') {
       console.log('🤖 Starting Codex SDK session');
-
-      await queryCodex(message.trim(), {
-        projectPath: finalProjectPath,
-        cwd: finalProjectPath,
-        sessionId: null,
-        model: model || CODEX_MODELS.DEFAULT,
-        permissionMode: 'bypassPermissions'
+      const userKey = await getUserProviderKey(userId, 'openai_key');
+
+      await withUserApiKey('OPENAI_API_KEY', userKey, () =>
+        queryCodex(message.trim(), {
+          projectPath: finalProjectPath,
+          cwd: finalProjectPath,
+          sessionId: null,
+          model: model || CODEX_MODELS.DEFAULT,
+          permissionMode: 'bypassPermissions'
+        }, writer)
+      );
+    } else if (provider === 'openrouter') {
+      console.log('🌐 Starting OpenRouter session');
+      const userKey = await getUserProviderKey(userId, 'openrouter_key');
+
+      await queryOpenRouter(message.trim(), {
+        model: model || OPENROUTER_MODELS.DEFAULT,
+        apiKey: userKey,
       }, writer);
     }
 

package/server/routes/auth.js

@@ -1,6 +1,6 @@
 import express from 'express';
 import bcrypt from 'bcryptjs';
-import { userDb, subscriptionDb, relayTokensDb, apiKeysDb } from '../database/db.js';
+import { db, userDb, subscriptionDb, relayTokensDb, apiKeysDb } from '../database/db.js';
 import { generateToken, authenticateToken, setSessionCookie, clearSessionCookie } from '../middleware/auth.js';
 
 const router = express.Router();
@@ -19,8 +19,12 @@ router.get('/status', async (req, res) => {
   }
 });
 
-// User registration — allows multiple users
-router.post('/register', async (req, res) => {
+// User registration — allows multiple users (rate limited)
+router.post('/register', (req, res, next) => {
+  const rl = req.app.locals.authRateLimit;
+  if (rl) return rl(req, res, next);
+  next();
+}, async (req, res) => {
   try {
     const { username, password, email, phone, firstName, lastName } = req.body;
 
@@ -28,13 +32,16 @@ router.post('/register', async (req, res) => {
     if (!password) {
       return res.status(400).json({ error: 'Password is required' });
     }
-    if (password.length < 6) {
-      return res.status(400).json({ error: 'Password must be at least 6 characters' });
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    }
+    if (password.length > 128) {
+      return res.status(400).json({ error: 'Password is too long' });
     }
 
-    // Derive display username from firstName + lastName if no username provided
-    const fName = (firstName || '').trim();
-    const lName = (lastName || '').trim();
+    // Sanitize and validate name/phone inputs
+    const fName = (firstName || '').trim().slice(0, 50);
+    const lName = (lastName || '').trim().slice(0, 50);
     const displayName = username || [fName, lName].filter(Boolean).join(' ') || 'User';
 
     if (displayName.length < 2) {
@@ -86,39 +93,69 @@ router.post('/register', async (req, res) => {
   }
 });
 
-// User login
-router.post('/login', async (req, res) => {
+// User login (rate limited)
+router.post('/login', (req, res, next) => {
+  const rl = req.app.locals.authRateLimit;
+  if (rl) return rl(req, res, next);
+  next();
+}, async (req, res) => {
   try {
-    const { username, password } = req.body;
+    const { username, password, firstName, lastName, phone } = req.body;
 
     if (!username || !password) {
-      return res.status(400).json({ error: 'Username and password are required' });
+      return res.status(400).json({ error: 'Email and password are required' });
     }
 
     const user = await userDb.getUserByUsername(username.trim());
     if (!user) {
-      return res.status(401).json({ error: 'Invalid username or password' });
+      return res.status(401).json({ error: 'Invalid email or password' });
     }
 
     const isValidPassword = await bcrypt.compare(password, user.password_hash);
     if (!isValidPassword) {
-      return res.status(401).json({ error: 'Invalid username or password' });
+      return res.status(401).json({ error: 'Invalid email or password' });
+    }
+
+    // Update name/phone if provided and different from stored values
+    const fName = (firstName || '').trim().slice(0, 50);
+    const lName = (lastName || '').trim().slice(0, 50);
+    const ph = (phone || '').trim().slice(0, 20);
+    const updates = [];
+    const args = [];
+    if (fName && fName !== user.first_name) { updates.push('first_name = ?'); args.push(fName); }
+    if (lName && lName !== user.last_name) { updates.push('last_name = ?'); args.push(lName); }
+    if (ph && ph !== user.phone) { updates.push('phone = ?'); args.push(ph); }
+    if (fName && lName && `${fName} ${lName}` !== user.username) {
+      updates.push('username = ?');
+      args.push(`${fName} ${lName}`);
+    } else if (fName && !lName && fName !== user.username && !user.last_name) {
+      updates.push('username = ?');
+      args.push(fName);
+    }
+    if (updates.length > 0) {
+      try {
+        args.push(user.id);
+        await db.execute({ sql: `UPDATE users SET ${updates.join(', ')} WHERE id = ?`, args });
+      } catch { /* non-critical profile update */ }
     }
 
+    // Re-fetch user to get updated fields
+    const updatedUser = updates.length > 0 ? (await userDb.getUserById(user.id)) || user : user;
+
     // Generate token + set cookie
-    const token = generateToken(user);
+    const token = generateToken(updatedUser);
     setSessionCookie(res, token);
-    await userDb.updateLastLogin(user.id);
+    await userDb.updateLastLogin(updatedUser.id);
 
     // Backfill relay token + API key if missing (for users created before auto-provisioning)
     try {
-      const existingTokens = await relayTokensDb.getTokens(user.id);
+      const existingTokens = await relayTokensDb.getTokens(updatedUser.id);
       if (existingTokens.length === 0) {
-        await relayTokensDb.createToken(user.id, 'default');
+        await relayTokensDb.createToken(updatedUser.id, 'default');
       }
-      const existingKeys = await apiKeysDb.getApiKeys(user.id);
+      const existingKeys = await apiKeysDb.getApiKeys(updatedUser.id);
       if (existingKeys.length === 0) {
-        await apiKeysDb.createApiKey(user.id, 'default');
+        await apiKeysDb.createApiKey(updatedUser.id, 'default');
       }
     } catch { /* non-critical backfill */ }
 
@@ -126,7 +163,7 @@ router.post('/login', async (req, res) => {
     let subscription = null;
     try {
       await subscriptionDb.expireOverdue();
-      const sub = await subscriptionDb.getActiveSub(user.id);
+      const sub = await subscriptionDb.getActiveSub(updatedUser.id);
       if (sub) {
         subscription = { id: sub.id, planId: sub.plan_id, status: sub.status, startsAt: sub.starts_at, expiresAt: sub.expires_at };
       }
@@ -134,7 +171,7 @@ router.post('/login', async (req, res) => {
 
     res.json({
       success: true,
-      user: { id: user.user_code || `upc-${String(user.id).padStart(3, '0')}`, username: user.username, first_name: user.first_name, last_name: user.last_name, email: user.email, phone: user.phone, access_override: user.access_override || null, subscription },
+      user: { id: updatedUser.user_code || `upc-${String(updatedUser.id).padStart(3, '0')}`, username: updatedUser.username, first_name: updatedUser.first_name, last_name: updatedUser.last_name, email: updatedUser.email, phone: updatedUser.phone, access_override: updatedUser.access_override || null, subscription },
       token // backward compat
     });
 

package/server/routes/settings.js

@@ -175,4 +175,95 @@ router.patch('/credentials/:credentialId/toggle', async (req, res) => {
   }
 });
 
+// ===============================
+// AI Provider Keys (BYOK)
+// ===============================
+
+const AI_PROVIDER_TYPES = [
+  'anthropic_key',
+  'openai_key',
+  'openrouter_key',
+  'google_key',
+];
+
+// Get all AI provider keys for the authenticated user (masked values)
+router.get('/ai-providers', async (req, res) => {
+  try {
+    const allCreds = [];
+    for (const type of AI_PROVIDER_TYPES) {
+      const creds = await credentialsDb.getCredentials(req.user.id, type);
+      allCreds.push(...creds.map(c => ({
+        id: c.id,
+        credential_name: c.credential_name,
+        credential_type: c.credential_type,
+        description: c.description,
+        is_active: c.is_active,
+        created_at: c.created_at,
+        // Mask the key — show first 8 and last 4 chars
+        masked_value: c.credential_value
+          ? c.credential_value.slice(0, 8) + '...' + c.credential_value.slice(-4)
+          : '***',
+      })));
+    }
+    res.json({ providers: allCreds });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch AI provider keys' });
+  }
+});
+
+// Save an AI provider key
+router.post('/ai-providers', async (req, res) => {
+  try {
+    const { providerType, apiKey, name } = req.body;
+
+    if (!providerType || !AI_PROVIDER_TYPES.includes(providerType)) {
+      return res.status(400).json({ error: `Invalid provider type. Supported: ${AI_PROVIDER_TYPES.join(', ')}` });
+    }
+    if (!apiKey || !apiKey.trim()) {
+      return res.status(400).json({ error: 'API key is required' });
+    }
+    if (apiKey.trim().length < 10 || apiKey.trim().length > 256) {
+      return res.status(400).json({ error: 'Invalid API key length' });
+    }
+
+    const label = providerType.replace('_key', '').replace('_', ' ');
+    const credName = name?.trim() || `${label} API key`;
+
+    // Deactivate existing keys of same type (user should only have one active per provider)
+    const existing = await credentialsDb.getCredentials(req.user.id, providerType);
+    for (const cred of existing) {
+      if (cred.is_active) {
+        await credentialsDb.toggleCredential(req.user.id, cred.id, false);
+      }
+    }
+
+    const result = await credentialsDb.createCredential(
+      req.user.id,
+      credName,
+      providerType,
+      apiKey.trim(),
+      `User-provided ${label} API key`
+    );
+
+    res.json({ success: true, credential: { id: result.id, credential_type: providerType, credential_name: credName } });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to save AI provider key' });
+  }
+});
+
+// Delete an AI provider key
+router.delete('/ai-providers/:credentialId', async (req, res) => {
+  try {
+    const { credentialId } = req.params;
+    const success = await credentialsDb.deleteCredential(req.user.id, parseInt(credentialId));
+    if (success) {
+      res.json({ success: true });
+    } else {
+      res.status(404).json({ error: 'Provider key not found' });
+    }
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete provider key' });
+  }
+});
+
 export default router;