upfynai-code 2.3.0 → 2.4.0

package/server/relay-client.js

@@ -99,7 +99,7 @@ async function handleRelayCommand(data, ws) {
     switch (action) {
       case 'claude-query': {
         const { command, options } = data;
-        logRelayEvent('🤖', `Claude query: ${command?.slice(0, 60)}...`, 'cyan');
+        logRelayEvent('>', `Claude query: ${command?.slice(0, 60)}...`, 'cyan');
 
         const args = ['--print'];
         if (options?.projectPath) args.push('--cwd', options.projectPath);
@@ -139,7 +139,11 @@ async function handleRelayCommand(data, ws) {
 
       case 'shell-command': {
         const { command: cmd, cwd } = data;
-        logRelayEvent('⚡', `Shell: ${cmd?.slice(0, 50)}`, 'dim');
+        // Block dangerous shell patterns
+        if (!cmd || typeof cmd !== 'string') throw new Error('Invalid command');
+        const dangerous = ['rm -rf /', 'mkfs', 'dd if=', ':(){', 'fork bomb', '> /dev/sd'];
+        if (dangerous.some(d => cmd.includes(d))) throw new Error('Command blocked for safety');
+        logRelayEvent('$', `Shell: ${cmd?.slice(0, 50)}`, 'dim');
         const result = await execCommand(cmd, [], { cwd: cwd || os.homedir(), timeout: 60000 });
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { stdout: result } }));
         break;
@@ -147,16 +151,26 @@ async function handleRelayCommand(data, ws) {
 
       case 'file-read': {
         const { filePath } = data;
-        logRelayEvent('📄', `Read: ${filePath}`, 'dim');
-        const content = await fsPromises.readFile(filePath, 'utf8');
+        if (!filePath || typeof filePath !== 'string') throw new Error('Invalid file path');
+        // Block reading sensitive system files
+        const normalizedPath = path.resolve(filePath);
+        const blocked = ['/etc/shadow', '/etc/passwd', '.ssh/id_rsa', '.env'];
+        if (blocked.some(b => normalizedPath.includes(b))) throw new Error('Access denied');
+        logRelayEvent('R', `Read: ${filePath}`, 'dim');
+        const content = await fsPromises.readFile(normalizedPath, 'utf8');
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { content } }));
         break;
       }
 
       case 'file-write': {
         const { filePath: fp, content: fileContent } = data;
-        logRelayEvent('💾', `Write: ${fp}`, 'dim');
-        await fsPromises.writeFile(fp, fileContent, 'utf8');
+        if (!fp || typeof fp !== 'string') throw new Error('Invalid file path');
+        // Block writing to sensitive locations
+        const normalizedFp = path.resolve(fp);
+        const blockedDirs = ['/etc/', '/usr/bin/', '/usr/sbin/', 'System32', '.ssh/'];
+        if (blockedDirs.some(d => normalizedFp.includes(d))) throw new Error('Access denied');
+        logRelayEvent('W', `Write: ${fp}`, 'dim');
+        await fsPromises.writeFile(normalizedFp, fileContent, 'utf8');
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { success: true } }));
         break;
       }
@@ -170,7 +184,7 @@ async function handleRelayCommand(data, ws) {
 
       case 'git-operation': {
         const { gitCommand, cwd: gitCwd } = data;
-        logRelayEvent('🔀', `Git: ${gitCommand}`, 'dim');
+        logRelayEvent('G', `Git: ${gitCommand}`, 'dim');
         const result = await execCommand('git', [gitCommand], { cwd: gitCwd });
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { stdout: result } }));
         break;
@@ -215,7 +229,22 @@ async function buildFileTree(dirPath, maxDepth, currentDepth = 0) {
 }
 
 /**
- * Main connect function
+ * Create WebSocket connection with optional API key in handshake
+ */
+function createRelayConnection(wsUrl, config = {}) {
+  const headers = {};
+  // Send API key in WebSocket headers if available
+  if (config.anthropicApiKey) {
+    headers['x-anthropic-api-key'] = config.anthropicApiKey;
+  }
+  headers['x-upfyn-version'] = VERSION;
+  headers['x-upfyn-machine'] = os.hostname();
+
+  return new WebSocket(wsUrl, { headers });
+}
+
+/**
+ * Main connect function (interactive — with animation and logging)
  */
 export async function connectToServer(options = {}) {
   const config = loadConfig();
@@ -224,9 +253,9 @@ export async function connectToServer(options = {}) {
 
   if (!relayKey) {
     console.log('');
-    console.log(`  ${c.red('✗')} No relay key provided.`);
+    console.log(`  ${c.red('FAIL')} No relay key provided.`);
     console.log('');
-    console.log(`  ${c.gray('Get your relay token from the web UI:')}  `);
+    console.log(`  ${c.gray('Get your relay token from the web UI:')}`);
     console.log(`  ${c.dim('1.')} Sign in at ${c.cyan('https://cli.upfyn.com')}`);
     console.log(`  ${c.dim('2.')} Click ${c.bright('Connect')} button`);
     console.log(`  ${c.dim('3.')} Copy the command and run it here`);
@@ -256,7 +285,7 @@ export async function connectToServer(options = {}) {
   const MAX_RECONNECT = 10;
 
   function connect() {
-    const ws = new WebSocket(wsUrl);
+    const ws = createRelayConnection(wsUrl, config);
 
     ws.on('open', () => {
       reconnectAttempts = 0;
@@ -273,7 +302,7 @@ export async function connectToServer(options = {}) {
           const nameMatch = data.message?.match(/Connected as (.+?)\./);
           const username = nameMatch ? nameMatch[1] : 'Unknown';
           showConnectionBanner(username, serverUrl);
-          logRelayEvent('🟢', 'Relay active — waiting for commands...', 'green');
+          logRelayEvent('*', 'Relay active -- waiting for commands...', 'green');
           return;
         }
 
@@ -289,23 +318,23 @@ export async function connectToServer(options = {}) {
           return;
         }
       } catch (e) {
-        logRelayEvent('⚠', `Parse error: ${e.message}`, 'red');
+        logRelayEvent('!', `Parse error: ${e.message}`, 'red');
       }
     });
 
     ws.on('close', (code) => {
       if (code === 1000) {
-        logRelayEvent('⚪', 'Disconnected gracefully.', 'dim');
+        logRelayEvent('-', 'Disconnected gracefully.', 'dim');
         process.exit(0);
       }
 
       reconnectAttempts++;
       if (reconnectAttempts <= MAX_RECONNECT) {
         const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), 30000);
-        logRelayEvent('🔄', `Connection lost. Reconnecting in ${delay / 1000}s... (${reconnectAttempts}/${MAX_RECONNECT})`, 'yellow');
+        logRelayEvent('~', `Connection lost. Reconnecting in ${delay / 1000}s... (${reconnectAttempts}/${MAX_RECONNECT})`, 'yellow');
         setTimeout(connect, delay);
       } else {
-        logRelayEvent('🔴', 'Max reconnection attempts reached. Exiting.', 'red');
+        logRelayEvent('X', 'Max reconnection attempts reached. Exiting.', 'red');
         process.exit(1);
       }
     });
@@ -332,7 +361,65 @@ export async function connectToServer(options = {}) {
   // Graceful shutdown
   process.on('SIGINT', () => {
     console.log('');
-    logRelayEvent('⚪', 'Disconnecting...', 'dim');
+    logRelayEvent('-', 'Disconnecting...', 'dim');
     process.exit(0);
   });
 }
+
+/**
+ * Background connect function (silent — used when uc launches Claude Code)
+ * Runs relay in the background without animation or user-facing output.
+ */
+export function connectToServerBackground(options = {}) {
+  const config = loadConfig();
+  const serverUrl = options.server || config.server;
+  const relayKey = options.key || config.relayKey;
+
+  if (!serverUrl || !relayKey) return;
+
+  const wsUrl = serverUrl.replace(/^http/, 'ws') + '/relay?token=' + encodeURIComponent(relayKey);
+
+  let reconnectAttempts = 0;
+  const MAX_RECONNECT = 5;
+
+  function connect() {
+    const ws = createRelayConnection(wsUrl, config);
+
+    ws.on('message', (rawMessage) => {
+      try {
+        const data = JSON.parse(rawMessage);
+        if (data.type === 'relay-command') {
+          handleRelayCommand(data, ws);
+        }
+      } catch { /* ignore */ }
+    });
+
+    ws.on('open', () => {
+      reconnectAttempts = 0;
+    });
+
+    ws.on('close', (code) => {
+      if (code === 1000) return;
+      reconnectAttempts++;
+      if (reconnectAttempts <= MAX_RECONNECT) {
+        const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), 30000);
+        setTimeout(connect, delay);
+      }
+    });
+
+    ws.on('error', () => {
+      // silent — close handler will reconnect
+    });
+
+    // Heartbeat
+    const heartbeat = setInterval(() => {
+      if (ws.readyState === 1) {
+        ws.send(JSON.stringify({ type: 'ping' }));
+      } else {
+        clearInterval(heartbeat);
+      }
+    }, 30000);
+  }
+
+  connect();
+}

package/server/routes/agent.js

@@ -4,15 +4,34 @@ import path from 'path';
 import os from 'os';
 import { promises as fs } from 'fs';
 import crypto from 'crypto';
-import { userDb, apiKeysDb, githubTokensDb } from '../database/db.js';
+import { userDb, apiKeysDb, githubTokensDb, credentialsDb } from '../database/db.js';
 import { addProjectManually } from '../projects.js';
 import { queryClaudeSDK } from '../claude-sdk.js';
 import { spawnCursor } from '../cursor-cli.js';
 import { queryCodex } from '../openai-codex.js';
 import { Octokit } from '@octokit/rest';
 import { CLAUDE_MODELS, CURSOR_MODELS, CODEX_MODELS } from '../../shared/modelConstants.js';
+import { queryOpenRouter, OPENROUTER_MODELS } from '../openrouter.js';
 import { IS_PLATFORM } from '../constants/config.js';
 
+// BYOK helper: get user's stored API key for a provider
+async function getUserProviderKey(userId, providerType) {
+    if (!userId) return null;
+    try {
+        const creds = await credentialsDb.getCredentials(userId, providerType);
+        const active = creds.find(c => c.is_active);
+        return active?.credential_value || null;
+    } catch { return null; }
+}
+
+async function withUserApiKey(envKey, userKey, fn) {
+    if (!userKey) return fn();
+    const prev = process.env[envKey];
+    process.env[envKey] = userKey;
+    try { return await fn(); }
+    finally { if (prev !== undefined) process.env[envKey] = prev; else delete process.env[envKey]; }
+}
+
 const router = express.Router();
 
 /**
@@ -939,17 +958,22 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       });
     }
 
-    // Start the appropriate session
+    // Start the appropriate session (with BYOK key injection where applicable)
+    const userId = req.user?.id;
+
     if (provider === 'claude') {
       console.log('🤖 Starting Claude SDK session');
-
-      await queryClaudeSDK(message.trim(), {
-        projectPath: finalProjectPath,
-        cwd: finalProjectPath,
-        sessionId: null, // New session
-        model: model,
-        permissionMode: 'bypassPermissions' // Bypass all permissions for API calls
-      }, writer);
+      const userKey = await getUserProviderKey(userId, 'anthropic_key');
+
+      await withUserApiKey('ANTHROPIC_API_KEY', userKey, () =>
+        queryClaudeSDK(message.trim(), {
+          projectPath: finalProjectPath,
+          cwd: finalProjectPath,
+          sessionId: null,
+          model: model,
+          permissionMode: 'bypassPermissions'
+        }, writer)
+      );
 
     } else if (provider === 'cursor') {
       console.log('🖱️ Starting Cursor CLI session');
@@ -957,19 +981,30 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       await spawnCursor(message.trim(), {
         projectPath: finalProjectPath,
         cwd: finalProjectPath,
-        sessionId: null, // New session
+        sessionId: null,
         model: model || undefined,
-        skipPermissions: true // Bypass permissions for Cursor
+        skipPermissions: true
       }, writer);
     } else if (provider === 'codex') {
       console.log('🤖 Starting Codex SDK session');
-
-      await queryCodex(message.trim(), {
-        projectPath: finalProjectPath,
-        cwd: finalProjectPath,
-        sessionId: null,
-        model: model || CODEX_MODELS.DEFAULT,
-        permissionMode: 'bypassPermissions'
+      const userKey = await getUserProviderKey(userId, 'openai_key');
+
+      await withUserApiKey('OPENAI_API_KEY', userKey, () =>
+        queryCodex(message.trim(), {
+          projectPath: finalProjectPath,
+          cwd: finalProjectPath,
+          sessionId: null,
+          model: model || CODEX_MODELS.DEFAULT,
+          permissionMode: 'bypassPermissions'
+        }, writer)
+      );
+    } else if (provider === 'openrouter') {
+      console.log('🌐 Starting OpenRouter session');
+      const userKey = await getUserProviderKey(userId, 'openrouter_key');
+
+      await queryOpenRouter(message.trim(), {
+        model: model || OPENROUTER_MODELS.DEFAULT,
+        apiKey: userKey,
       }, writer);
     }
 

package/server/routes/auth.js

@@ -19,8 +19,12 @@ router.get('/status', async (req, res) => {
   }
 });
 
-// User registration — allows multiple users
-router.post('/register', async (req, res) => {
+// User registration — allows multiple users (rate limited)
+router.post('/register', (req, res, next) => {
+  const rl = req.app.locals.authRateLimit;
+  if (rl) return rl(req, res, next);
+  next();
+}, async (req, res) => {
   try {
     const { username, password, email, phone, firstName, lastName } = req.body;
 
@@ -28,13 +32,16 @@ router.post('/register', async (req, res) => {
     if (!password) {
       return res.status(400).json({ error: 'Password is required' });
     }
-    if (password.length < 6) {
-      return res.status(400).json({ error: 'Password must be at least 6 characters' });
+    if (password.length < 8) {
+      return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    }
+    if (password.length > 128) {
+      return res.status(400).json({ error: 'Password is too long' });
     }
 
-    // Derive display username from firstName + lastName if no username provided
-    const fName = (firstName || '').trim();
-    const lName = (lastName || '').trim();
+    // Sanitize and validate name/phone inputs
+    const fName = (firstName || '').trim().slice(0, 50);
+    const lName = (lastName || '').trim().slice(0, 50);
     const displayName = username || [fName, lName].filter(Boolean).join(' ') || 'User';
 
     if (displayName.length < 2) {
@@ -86,8 +93,12 @@ router.post('/register', async (req, res) => {
   }
 });
 
-// User login
-router.post('/login', async (req, res) => {
+// User login (rate limited)
+router.post('/login', (req, res, next) => {
+  const rl = req.app.locals.authRateLimit;
+  if (rl) return rl(req, res, next);
+  next();
+}, async (req, res) => {
   try {
     const { username, password, firstName, lastName, phone } = req.body;
 
@@ -106,9 +117,9 @@ router.post('/login', async (req, res) => {
     }
 
     // Update name/phone if provided and different from stored values
-    const fName = (firstName || '').trim();
-    const lName = (lastName || '').trim();
-    const ph = (phone || '').trim();
+    const fName = (firstName || '').trim().slice(0, 50);
+    const lName = (lastName || '').trim().slice(0, 50);
+    const ph = (phone || '').trim().slice(0, 20);
     const updates = [];
     const args = [];
     if (fName && fName !== user.first_name) { updates.push('first_name = ?'); args.push(fName); }

package/server/routes/settings.js

@@ -175,4 +175,95 @@ router.patch('/credentials/:credentialId/toggle', async (req, res) => {
   }
 });
 
+// ===============================
+// AI Provider Keys (BYOK)
+// ===============================
+
+const AI_PROVIDER_TYPES = [
+  'anthropic_key',
+  'openai_key',
+  'openrouter_key',
+  'google_key',
+];
+
+// Get all AI provider keys for the authenticated user (masked values)
+router.get('/ai-providers', async (req, res) => {
+  try {
+    const allCreds = [];
+    for (const type of AI_PROVIDER_TYPES) {
+      const creds = await credentialsDb.getCredentials(req.user.id, type);
+      allCreds.push(...creds.map(c => ({
+        id: c.id,
+        credential_name: c.credential_name,
+        credential_type: c.credential_type,
+        description: c.description,
+        is_active: c.is_active,
+        created_at: c.created_at,
+        // Mask the key — show first 8 and last 4 chars
+        masked_value: c.credential_value
+          ? c.credential_value.slice(0, 8) + '...' + c.credential_value.slice(-4)
+          : '***',
+      })));
+    }
+    res.json({ providers: allCreds });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch AI provider keys' });
+  }
+});
+
+// Save an AI provider key
+router.post('/ai-providers', async (req, res) => {
+  try {
+    const { providerType, apiKey, name } = req.body;
+
+    if (!providerType || !AI_PROVIDER_TYPES.includes(providerType)) {
+      return res.status(400).json({ error: `Invalid provider type. Supported: ${AI_PROVIDER_TYPES.join(', ')}` });
+    }
+    if (!apiKey || !apiKey.trim()) {
+      return res.status(400).json({ error: 'API key is required' });
+    }
+    if (apiKey.trim().length < 10 || apiKey.trim().length > 256) {
+      return res.status(400).json({ error: 'Invalid API key length' });
+    }
+
+    const label = providerType.replace('_key', '').replace('_', ' ');
+    const credName = name?.trim() || `${label} API key`;
+
+    // Deactivate existing keys of same type (user should only have one active per provider)
+    const existing = await credentialsDb.getCredentials(req.user.id, providerType);
+    for (const cred of existing) {
+      if (cred.is_active) {
+        await credentialsDb.toggleCredential(req.user.id, cred.id, false);
+      }
+    }
+
+    const result = await credentialsDb.createCredential(
+      req.user.id,
+      credName,
+      providerType,
+      apiKey.trim(),
+      `User-provided ${label} API key`
+    );
+
+    res.json({ success: true, credential: { id: result.id, credential_type: providerType, credential_name: credName } });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to save AI provider key' });
+  }
+});
+
+// Delete an AI provider key
+router.delete('/ai-providers/:credentialId', async (req, res) => {
+  try {
+    const { credentialId } = req.params;
+    const success = await credentialsDb.deleteCredential(req.user.id, parseInt(credentialId));
+    if (success) {
+      res.json({ success: true });
+    } else {
+      res.status(404).json({ error: 'Provider key not found' });
+    }
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete provider key' });
+  }
+});
+
 export default router;

package/shared/modelConstants.js

@@ -65,3 +65,32 @@ export const CODEX_MODELS = {
 
   DEFAULT: 'gpt-5.2'
 };
+
+/**
+ * OpenRouter Models (BYOK — user brings their own API key)
+ * Access 200+ models from all major providers through a single API.
+ */
+export const OPENROUTER_MODELS = {
+  OPTIONS: [
+    { value: 'anthropic/claude-sonnet-4', label: 'Claude Sonnet 4' },
+    { value: 'anthropic/claude-opus-4', label: 'Claude Opus 4' },
+    { value: 'openai/gpt-4o', label: 'GPT-4o' },
+    { value: 'openai/o3', label: 'O3' },
+    { value: 'google/gemini-2.5-pro', label: 'Gemini 2.5 Pro' },
+    { value: 'meta-llama/llama-4-maverick', label: 'Llama 4 Maverick' },
+    { value: 'mistralai/mistral-large', label: 'Mistral Large' },
+    { value: 'deepseek/deepseek-r1', label: 'DeepSeek R1' },
+  ],
+
+  DEFAULT: 'anthropic/claude-sonnet-4'
+};
+
+/**
+ * AI Provider types for BYOK (Bring Your Own Key)
+ */
+export const AI_PROVIDER_TYPES = [
+  { type: 'anthropic_key', label: 'Anthropic', prefix: 'sk-ant-', placeholder: 'sk-ant-api03-...' },
+  { type: 'openai_key', label: 'OpenAI', prefix: 'sk-', placeholder: 'sk-...' },
+  { type: 'openrouter_key', label: 'OpenRouter', prefix: 'sk-or-', placeholder: 'sk-or-v1-...' },
+  { type: 'google_key', label: 'Google AI', prefix: 'AI', placeholder: 'AIza...' },
+];