upfynai-code 2.3.0 → 2.4.1

package/server/index.js

@@ -54,6 +54,7 @@ import { getProjects, getSessions, getSessionMessages, renameProject, deleteSess
 import { queryClaudeSDK, abortClaudeSDKSession, isClaudeSDKSessionActive, getActiveClaudeSDKSessions, resolveToolApproval } from './claude-sdk.js';
 import { spawnCursor, abortCursorSession, isCursorSessionActive, getActiveCursorSessions } from './cursor-cli.js';
 import { queryCodex, abortCodexSession, isCodexSessionActive, getActiveCodexSessions } from './openai-codex.js';
+import { queryOpenRouter, OPENROUTER_MODELS } from './openrouter.js';
 import { createMcpServer, mountMcpServer } from './mcp-server.js';
 import gitRoutes from './routes/git.js';
 import authRoutes from './routes/auth.js';
@@ -69,9 +70,10 @@ import cliAuthRoutes from './routes/cli-auth.js';
 import userRoutes from './routes/user.js';
 import codexRoutes from './routes/codex.js';
 import paymentRoutes from './routes/payments.js';
-import { initializeDatabase, relayTokensDb, subscriptionDb } from './database/db.js';
+import { initializeDatabase, relayTokensDb, subscriptionDb, credentialsDb, userDb } from './database/db.js';
 import { validateApiKey, authenticateToken, authenticateWebSocket } from './middleware/auth.js';
-import { IS_PLATFORM } from './constants/config.js';
+import { IS_PLATFORM, IS_LOCAL } from './constants/config.js';
+import { execSync } from 'child_process';
 
 // File system watchers for provider project/session folders
 const PROVIDER_WATCH_PATHS = [
@@ -348,6 +350,18 @@ if (server) {
 // Make WebSocket server available to routes
 app.locals.wss = wss;
 
+// Security headers — protect against common web attacks
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  if (process.env.NODE_ENV === 'production') {
+    res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+  }
+  next();
+});
+
 // CORS: require explicit CORS_ORIGINS in production, restrict to same-origin otherwise
 const CORS_ORIGINS = process.env.CORS_ORIGINS
   ? process.env.CORS_ORIGINS.split(',').map(o => o.trim())
@@ -367,6 +381,44 @@ app.use(express.json({
 }));
 app.use(express.urlencoded({ limit: '50mb', extended: true }));
 
+// Rate limiting for auth endpoints — prevent brute force attacks
+const authRateLimitMap = new Map();
+const AUTH_RATE_WINDOW = 15 * 60 * 1000; // 15 minutes
+const AUTH_RATE_MAX = 10; // max attempts per window
+
+function authRateLimit(req, res, next) {
+  const key = req.ip || req.connection.remoteAddress || 'unknown';
+  const now = Date.now();
+  const entry = authRateLimitMap.get(key);
+
+  if (entry) {
+    // Clean expired entries
+    if (now - entry.windowStart > AUTH_RATE_WINDOW) {
+      authRateLimitMap.set(key, { windowStart: now, count: 1 });
+      return next();
+    }
+    entry.count++;
+    if (entry.count > AUTH_RATE_MAX) {
+      return res.status(429).json({ error: 'Too many attempts. Please try again later.' });
+    }
+  } else {
+    authRateLimitMap.set(key, { windowStart: now, count: 1 });
+  }
+  next();
+}
+
+// Clean up stale rate limit entries every 30 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, entry] of authRateLimitMap) {
+    if (now - entry.windowStart > AUTH_RATE_WINDOW) {
+      authRateLimitMap.delete(key);
+    }
+  }
+}, 30 * 60 * 1000);
+
+app.locals.authRateLimit = authRateLimit;
+
 // Vercel serverless: lazy DB initialization on first request
 let dbInitialized = false;
 if (process.env.VERCEL) {
@@ -488,12 +540,70 @@ app.get('/api/relay/status', authenticateToken, (req, res) => {
     });
 });
 
+/**
+ * Detect installed AI CLI agents on the local machine (server-side).
+ * Used in self-hosted/local mode where no relay is needed.
+ */
+let cachedLocalAgents = null;
+let localAgentsCacheTime = 0;
+function detectLocalAgents() {
+    // Cache for 60 seconds
+    if (cachedLocalAgents && Date.now() - localAgentsCacheTime < 60000) {
+        return cachedLocalAgents;
+    }
+    const isWindows = process.platform === 'win32';
+    const whichCmd = isWindows ? 'where' : 'which';
+    const agents = [
+        { name: 'claude', binary: 'claude', label: 'Claude Code' },
+        { name: 'codex', binary: 'codex', label: 'OpenAI Codex' },
+        { name: 'cursor', binary: 'cursor-agent', label: 'Cursor Agent' },
+    ];
+    const detected = {};
+    for (const agent of agents) {
+        try {
+            const result = execSync(`${whichCmd} ${agent.binary}`, { stdio: 'pipe', timeout: 5000 }).toString().trim();
+            detected[agent.name] = { installed: true, path: result.split('\n')[0].trim(), label: agent.label };
+        } catch {
+            detected[agent.name] = { installed: false, label: agent.label };
+        }
+    }
+    cachedLocalAgents = detected;
+    localAgentsCacheTime = Date.now();
+    return detected;
+}
+
 // Connection status — alias at path the frontend expects
 app.get('/api/auth/connection-status', authenticateToken, (req, res) => {
     const relay = relayConnections.get(Number(req.user.id));
+    const connected = !!(relay && relay.ws.readyState === 1);
+
+    // In local mode, always "connected" — SDK runs directly on this machine
+    if (IS_LOCAL) {
+        const agents = detectLocalAgents();
+        return res.json({
+            connected: true,
+            local: true,
+            connectedAt: Date.now(),
+            agents,
+            machine: {
+                hostname: os.hostname(),
+                platform: process.platform,
+                cwd: process.cwd(),
+            }
+        });
+    }
+
     res.json({
-        connected: !!(relay && relay.ws.readyState === 1),
-        connectedAt: relay?.connectedAt || null
+        connected,
+        local: false,
+        connectedAt: relay?.connectedAt || null,
+        agents: connected ? (relay.agents || null) : null,
+        machine: connected ? {
+            hostname: relay.machine,
+            platform: relay.platform,
+            cwd: relay.cwd,
+            version: relay.version,
+        } : null
     });
 });
 
@@ -520,77 +630,15 @@ app.use(express.static(path.join(__dirname, '../client/dist'), {
 // /api/config endpoint removed - no longer needed
 // Frontend now uses window.location for WebSocket URLs
 
-// System update endpoint
-app.post('/api/system/update', authenticateToken, async (req, res) => {
-    try {
-        // Get the project root directory (parent of server directory)
-        const projectRoot = path.join(__dirname, '..');
-
-        console.log('Starting system update from directory:', projectRoot);
-
-        // Run the update command
-        const updateCommand = 'git checkout main && git pull && npm install';
-
-        const child = spawn('sh', ['-c', updateCommand], {
-            cwd: projectRoot,
-            env: process.env
-        });
-
-        let output = '';
-        let errorOutput = '';
-
-        child.stdout.on('data', (data) => {
-            const text = data.toString();
-            output += text;
-            console.log('Update output:', text);
-        });
-
-        child.stderr.on('data', (data) => {
-            const text = data.toString();
-            errorOutput += text;
-            console.error('Update error:', text);
-        });
-
-        child.on('close', (code) => {
-            if (code === 0) {
-                res.json({
-                    success: true,
-                    output: output || 'Update completed successfully',
-                    message: 'Update completed. Please restart the server to apply changes.'
-                });
-            } else {
-                res.status(500).json({
-                    success: false,
-                    error: 'Update command failed',
-                    output: output,
-                    errorOutput: errorOutput
-                });
-            }
-        });
-
-        child.on('error', (error) => {
-            console.error('Update process error:', error);
-            res.status(500).json({
-                success: false,
-                error: error.message
-            });
-        });
-
-    } catch (error) {
-        console.error('System update error:', error);
-        res.status(500).json({
-            success: false,
-            error: error.message
-        });
-    }
-});
+// System update endpoint — REMOVED for security (shell command execution risk)
+// Use `uc update` from CLI instead
 
 app.get('/api/projects', authenticateToken, async (req, res) => {
     try {
         const projects = await getProjects(broadcastProgress);
         res.json(projects);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -600,7 +648,7 @@ app.get('/api/projects/:projectName/sessions', authenticateToken, async (req, re
         const result = await getSessions(req.params.projectName, parseInt(limit), parseInt(offset));
         res.json(result);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -625,7 +673,7 @@ app.get('/api/projects/:projectName/sessions/:sessionId/messages', authenticateT
             res.json(result);
         }
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -636,7 +684,7 @@ app.put('/api/projects/:projectName/rename', authenticateToken, async (req, res)
         await renameProject(req.params.projectName, displayName);
         res.json({ success: true });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -650,7 +698,7 @@ app.delete('/api/projects/:projectName/sessions/:sessionId', authenticateToken,
         res.json({ success: true });
     } catch (error) {
         // session delete error
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -662,7 +710,7 @@ app.delete('/api/projects/:projectName', authenticateToken, async (req, res) =>
         await deleteProject(projectName, force);
         res.json({ success: true });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -679,7 +727,7 @@ app.post('/api/projects/create', authenticateToken, async (req, res) => {
         res.json({ success: true, project });
     } catch (error) {
         console.error('Error creating project:', error);
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -832,13 +880,11 @@ app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) =
             return res.status(404).json({ error: 'Project not found' });
         }
 
-        // Handle both absolute and relative paths
-        const resolved = path.isAbsolute(filePath)
-            ? path.resolve(filePath)
-            : path.resolve(projectRoot, filePath);
+        // Always resolve relative to project root to prevent path traversal
+        const resolved = path.resolve(projectRoot, filePath);
         const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
+        if (!resolved.startsWith(normalizedRoot) && resolved !== path.resolve(projectRoot)) {
+            return res.status(403).json({ error: 'Access denied' });
         }
 
         const content = await fsPromises.readFile(resolved, 'utf8');
@@ -850,7 +896,7 @@ app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) =
         } else if (error.code === 'EACCES') {
             res.status(403).json({ error: 'Permission denied' });
         } else {
-            res.status(500).json({ error: error.message });
+            res.status(500).json({ error: 'Internal server error' });
         }
     }
 });
@@ -872,10 +918,11 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
             return res.status(404).json({ error: 'Project not found' });
         }
 
-        const resolved = path.resolve(filePath);
+        // Resolve path relative to project root to prevent path traversal
+        const resolved = path.resolve(projectRoot, filePath);
         const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
+        if (!resolved.startsWith(normalizedRoot) && resolved !== path.resolve(projectRoot)) {
+            return res.status(403).json({ error: 'Access denied' });
         }
 
         // Check if file exists
@@ -903,7 +950,7 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
     } catch (error) {
         console.error('Error serving binary file:', error);
         if (!res.headersSent) {
-            res.status(500).json({ error: error.message });
+            res.status(500).json({ error: 'Internal server error' });
         }
     }
 });
@@ -929,13 +976,11 @@ app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) =
             return res.status(404).json({ error: 'Project not found' });
         }
 
-        // Handle both absolute and relative paths
-        const resolved = path.isAbsolute(filePath)
-            ? path.resolve(filePath)
-            : path.resolve(projectRoot, filePath);
+        // Always resolve relative to project root to prevent path traversal
+        const resolved = path.resolve(projectRoot, filePath);
         const normalizedRoot = path.resolve(projectRoot) + path.sep;
-        if (!resolved.startsWith(normalizedRoot)) {
-            return res.status(403).json({ error: 'Path must be under project root' });
+        if (!resolved.startsWith(normalizedRoot) && resolved !== path.resolve(projectRoot)) {
+            return res.status(403).json({ error: 'Access denied' });
         }
 
         // Write the new content
@@ -953,7 +998,7 @@ app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) =
         } else if (error.code === 'EACCES') {
             res.status(403).json({ error: 'Permission denied' });
         } else {
-            res.status(500).json({ error: error.message });
+            res.status(500).json({ error: 'Internal server error' });
         }
     }
 });
@@ -985,7 +1030,7 @@ app.get('/api/projects/:projectName/files', authenticateToken, async (req, res)
         res.json(files);
     } catch (error) {
         console.error('[ERROR] File tree error:', error.message);
-        res.status(500).json({ error: error.message });
+        res.status(500).json({ error: 'Internal server error' });
     }
 });
 
@@ -1001,9 +1046,9 @@ if (wss) wss.on('connection', (ws, request) => {
     if (pathname === '/shell') {
         handleShellConnection(ws);
     } else if (pathname === '/ws') {
-        handleChatConnection(ws);
+        handleChatConnection(ws, request);
     } else if (pathname === '/relay') {
-        handleRelayConnection(ws, urlObj.searchParams.get('token'));
+        handleRelayConnection(ws, urlObj.searchParams.get('token'), request);
     } else {
         // unknown WebSocket path
         ws.close();
@@ -1036,9 +1081,44 @@ class WebSocketWriter {
   }
 }
 
+/**
+ * Look up a user's stored API key for a given provider.
+ * Falls back to server env vars if user has none stored.
+ * @param {number} userId
+ * @param {string} providerType - e.g. 'anthropic_key', 'openai_key', 'openrouter_key', 'google_key'
+ * @returns {Promise<string|null>}
+ */
+async function getUserProviderKey(userId, providerType) {
+    if (!userId) return null;
+    try {
+        const creds = await credentialsDb.getCredentials(userId, providerType);
+        const active = creds.find(c => c.is_active);
+        return active?.credential_value || null;
+    } catch { return null; }
+}
+
+/**
+ * Temporarily set environment variable for an AI SDK call, then restore.
+ * @param {string} envKey - e.g. 'ANTHROPIC_API_KEY'
+ * @param {string|null} userKey - user's BYOK key, null to skip
+ * @param {Function} fn - async function to execute with the key set
+ */
+async function withUserApiKey(envKey, userKey, fn) {
+    if (!userKey) return fn();
+    const prev = process.env[envKey];
+    process.env[envKey] = userKey;
+    try {
+        return await fn();
+    } finally {
+        if (prev !== undefined) process.env[envKey] = prev;
+        else delete process.env[envKey];
+    }
+}
+
 // Handle chat WebSocket connections
-function handleChatConnection(ws) {
+function handleChatConnection(ws, request) {
     // chat WebSocket connected
+    const wsUser = request?.user || null;
 
     // Add to connected clients for project updates
     connectedClients.add(ws);
@@ -1107,24 +1187,64 @@ function handleChatConnection(ws) {
                 }
                 if (sid) lockedSessionsForThisWs.add(sid);
 
-                console.log('[DEBUG] User message:', data.command || '[Continue/Resume]');
-                console.log('📁 Project:', data.options?.projectPath || 'Unknown');
-                // session message received
-
-                // Use Claude Agents SDK
-                await queryClaudeSDK(data.command, data.options, writer);
+                // Check if user has active relay → route to local machine
+                if (hasActiveRelay(wsUser?.userId)) {
+                    await routeViaRelay(wsUser.userId, 'claude-query', data, writer, {
+                        response: 'claude-response',
+                        complete: 'claude-complete',
+                        error: 'claude-error'
+                    });
+                } else {
+                    // Fall back to server-side SDK
+                    const userAnthropicKey = wsUser?.userId
+                        ? await getUserProviderKey(wsUser.userId, 'anthropic_key')
+                        : null;
+
+                    await withUserApiKey('ANTHROPIC_API_KEY', userAnthropicKey, () =>
+                        queryClaudeSDK(data.command, data.options, writer)
+                    );
+                }
             } else if (data.type === 'cursor-command') {
-                console.log('[DEBUG] Cursor message:', data.command || '[Continue/Resume]');
-                console.log('📁 Project:', data.options?.cwd || 'Unknown');
-                // session message received
-                console.log('🤖 Model:', data.options?.model || 'default');
-                await spawnCursor(data.command, data.options, writer);
+                // Check if user has active relay → route to local machine
+                if (hasActiveRelay(wsUser?.userId)) {
+                    await routeViaRelay(wsUser.userId, 'cursor-query', data, writer, {
+                        response: 'cursor-response',
+                        complete: 'cursor-complete',
+                        error: 'cursor-error'
+                    });
+                } else {
+                    await spawnCursor(data.command, data.options, writer);
+                }
             } else if (data.type === 'codex-command') {
-                console.log('[DEBUG] Codex message:', data.command || '[Continue/Resume]');
-                console.log('📁 Project:', data.options?.projectPath || data.options?.cwd || 'Unknown');
-                // session message received
-                console.log('🤖 Model:', data.options?.model || 'default');
-                await queryCodex(data.command, data.options, writer);
+                // Check if user has active relay → route to local machine
+                if (hasActiveRelay(wsUser?.userId)) {
+                    await routeViaRelay(wsUser.userId, 'codex-query', data, writer, {
+                        response: 'codex-response',
+                        complete: 'codex-complete',
+                        error: 'codex-error'
+                    });
+                } else {
+                    const userOpenaiKey = wsUser?.userId
+                        ? await getUserProviderKey(wsUser.userId, 'openai_key')
+                        : null;
+
+                    await withUserApiKey('OPENAI_API_KEY', userOpenaiKey, () =>
+                        queryCodex(data.command, data.options, writer)
+                    );
+                }
+            } else if (data.type === 'openrouter-command') {
+                console.log('[DEBUG] OpenRouter message:', data.command?.slice(0, 60) || '[empty]');
+                console.log('🤖 Model:', data.options?.model || OPENROUTER_MODELS.DEFAULT);
+
+                // BYOK: OpenRouter requires user's own API key
+                const userOrKey = wsUser?.userId
+                    ? await getUserProviderKey(wsUser.userId, 'openrouter_key')
+                    : null;
+
+                await queryOpenRouter(data.command, {
+                    ...data.options,
+                    apiKey: userOrKey,
+                }, writer);
             } else if (data.type === 'cursor-resume') {
                 // Backward compatibility: treat as cursor-command with resume and no prompt
                 // cursor resume session
@@ -1226,7 +1346,7 @@ function handleChatConnection(ws) {
 }
 
 // Handle relay WebSocket connections (local machine ↔ server bridge)
-async function handleRelayConnection(ws, token) {
+async function handleRelayConnection(ws, token, request) {
     if (!token) {
         ws.send(JSON.stringify({ type: 'error', error: 'Relay token required. Use ?token=upfyn_xxx' }));
         ws.close();
@@ -1243,9 +1363,20 @@ async function handleRelayConnection(ws, token) {
     const userId = Number(tokenData.user_id);
     const username = tokenData.username;
 
-    // Store relay connection (use Number() to ensure consistent Map key type)
-    relayConnections.set(userId, { ws, user: tokenData, connectedAt: Date.now() });
-    // relay connection established
+    // Extract optional headers from relay handshake
+    const anthropicApiKey = request?.headers?.['x-anthropic-api-key'] || null;
+    const relayVersion = request?.headers?.['x-upfyn-version'] || null;
+    const relayMachine = request?.headers?.['x-upfyn-machine'] || null;
+    const relayPlatform = request?.headers?.['x-upfyn-platform'] || null;
+    const relayCwd = request?.headers?.['x-upfyn-cwd'] || null;
+
+    // Store relay connection with API key in memory only (use Number() for consistent Map key type)
+    // API key is held per-user in the relay connection, NOT in process.env
+    relayConnections.set(userId, {
+        ws, user: tokenData, connectedAt: Date.now(), anthropicApiKey,
+        version: relayVersion, machine: relayMachine, platform: relayPlatform, cwd: relayCwd,
+        agents: null // populated when client sends agent-capabilities
+    });
 
     ws.send(JSON.stringify({
         type: 'relay-connected',
@@ -1296,6 +1427,29 @@ async function handleRelayConnection(ws, token) {
                 return;
             }
 
+            // Agent capabilities report from relay client
+            if (data.type === 'agent-capabilities') {
+                const relay = relayConnections.get(userId);
+                if (relay) {
+                    relay.agents = data.agents || {};
+                    relay.machine = data.machine || relay.machine;
+                }
+                // Broadcast agent info to browser clients
+                for (const client of connectedClients) {
+                    try {
+                        if (client.readyState === 1) {
+                            client.send(JSON.stringify({
+                                type: 'relay-agents',
+                                userId,
+                                agents: data.agents || {},
+                                machine: data.machine || {}
+                            }));
+                        }
+                    } catch (e) { /* ignore */ }
+                }
+                return;
+            }
+
             // Heartbeat
             if (data.type === 'ping') {
                 ws.send(JSON.stringify({ type: 'pong' }));
@@ -1346,7 +1500,7 @@ function sendRelayCommand(userId, action, payload, onStream = null, timeoutMs =
     return new Promise((resolve, reject) => {
         const relay = relayConnections.get(userId);
         if (!relay || relay.ws.readyState !== 1) {
-            reject(new Error('No relay connection. Run "upfynai-code connect" on your local machine.'));
+            reject(new Error('No relay connection. Run "uc connect" on your local machine.'));
             return;
         }
 
@@ -1367,6 +1521,95 @@ function sendRelayCommand(userId, action, payload, onStream = null, timeoutMs =
     });
 }
 
+/**
+ * Check if a user has an active relay connection
+ */
+function hasActiveRelay(userId) {
+    if (!userId) return false;
+    const relay = relayConnections.get(Number(userId));
+    return relay && relay.ws.readyState === 1;
+}
+
+/**
+ * Route a chat command through the user's relay connection to their local machine.
+ * Translates relay-stream/relay-complete events into the format the frontend expects.
+ *
+ * @param {number} userId - User ID
+ * @param {string} action - Relay action (claude-query, codex-query, cursor-query)
+ * @param {object} data - Original command data from the browser
+ * @param {object} writer - WebSocket writer to send events to browser
+ * @param {object} eventMap - Maps relay stream data types to chat event types
+ */
+async function routeViaRelay(userId, action, data, writer, eventMap = {}) {
+    const sessionId = data.options?.sessionId || `relay-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+
+    // Send session-created so the frontend can track this query
+    writer.send({ type: 'session-created', sessionId });
+
+    // Determine event types from the provider
+    const responseType = eventMap.response || 'claude-response';
+    const completeType = eventMap.complete || 'claude-complete';
+    const errorType = eventMap.error || 'claude-error';
+
+    let fullContent = '';
+
+    try {
+        const result = await sendRelayCommand(
+            Number(userId),
+            action,
+            {
+                command: data.command,
+                options: data.options || {}
+            },
+            // onStream callback — translates relay events to chat events
+            (streamData) => {
+                if (streamData.type === 'claude-response' || streamData.type === 'codex-response' || streamData.type === 'cursor-response') {
+                    fullContent += streamData.content || '';
+                    writer.send({
+                        type: responseType,
+                        data: {
+                            type: 'assistant',
+                            message: {
+                                type: 'text',
+                                text: streamData.content || ''
+                            }
+                        },
+                        sessionId
+                    });
+                } else if (streamData.type === 'claude-error' || streamData.type === 'codex-error' || streamData.type === 'cursor-error') {
+                    writer.send({
+                        type: responseType,
+                        data: {
+                            type: 'assistant',
+                            message: {
+                                type: 'text',
+                                text: streamData.content || ''
+                            }
+                        },
+                        sessionId
+                    });
+                }
+            },
+            600000 // 10 minute timeout for AI queries
+        );
+
+        // Send completion event
+        writer.send({
+            type: completeType,
+            sessionId,
+            exitCode: result?.exitCode ?? 0,
+            isNewSession: !data.options?.sessionId,
+            viaRelay: true
+        });
+    } catch (error) {
+        writer.send({
+            type: errorType,
+            error: error.message,
+            sessionId
+        });
+    }
+}
+
 // Handle shell WebSocket connections
 function handleShellConnection(ws) {
     if (!pty) {
@@ -1707,9 +1950,13 @@ app.post('/api/transcribe', authenticateToken, async (req, res) => {
                 return res.status(400).json({ error: 'No audio file provided' });
             }
 
-            const apiKey = process.env.OPENAI_API_KEY;
+            // BYOK: check user's stored OpenAI key first, fall back to server env
+            const userOpenaiKey = req.user?.id
+                ? await getUserProviderKey(req.user.id, 'openai_key')
+                : null;
+            const apiKey = userOpenaiKey || process.env.OPENAI_API_KEY;
             if (!apiKey) {
-                return res.status(500).json({ error: 'OpenAI API key not configured. Please set OPENAI_API_KEY in server environment.' });
+                return res.status(500).json({ error: 'OpenAI API key not configured. Add your key in Settings > AI Providers, or ask the admin to set OPENAI_API_KEY.' });
             }
 
             try {
@@ -1831,7 +2078,7 @@ Agent instructions:`;
 
             } catch (error) {
                 console.error('Transcription error:', error);
-                res.status(500).json({ error: error.message });
+                res.status(500).json({ error: 'Internal server error' });
             }
         });
     } catch (error) {
@@ -2222,6 +2469,18 @@ async function startServer() {
         // Initialize authentication database
         await initializeDatabase();
 
+        // In local mode, ensure a default user exists (no signup needed)
+        if (IS_LOCAL) {
+            const hasUsers = await userDb.hasUsers();
+            if (!hasUsers) {
+                const localUsername = os.userInfo().username || 'local';
+                const dummyHash = crypto.randomBytes(32).toString('hex');
+                await userDb.createUser(localUsername, dummyHash);
+                console.log(`${c.ok('[LOCAL]')} Created local user: ${c.bright(localUsername)}`);
+            }
+            console.log(`${c.info('[MODE]')} Running in ${c.bright('LOCAL')} mode (no login required)`);
+        }
+
         // Check if running in production mode (dist folder exists OR NODE_ENV/RAILWAY set)
         const distIndexPath = path.join(__dirname, '../dist/index.html');
         const isProduction = fs.existsSync(distIndexPath) || process.env.NODE_ENV === 'production' || !!process.env.RAILWAY_ENVIRONMENT;