upfynai-code 2.3.0 → 2.4.1

package/server/mcp-server.js

@@ -31,7 +31,8 @@ import crypto from 'crypto';
 import jwt from 'jsonwebtoken';
 import { userDb, apiKeysDb, relayTokensDb } from './database/db.js';
 
-const JWT_SECRET = process.env.JWT_SECRET?.trim() || (() => { throw new Error('JWT_SECRET required'); })();
+import { IS_PLATFORM } from './constants/config.js';
+const JWT_SECRET = process.env.JWT_SECRET?.trim() || (IS_PLATFORM ? crypto.randomBytes(32).toString('hex') : (() => { throw new Error('JWT_SECRET required'); })());
 
 // In-memory canvas state (Excalidraw elements, synced via WebSocket with browser clients)
 let canvasElements = [];

package/server/middleware/auth.js

@@ -1,11 +1,17 @@
 import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
 import { userDb, relayTokensDb } from '../database/db.js';
 import { IS_PLATFORM } from '../constants/config.js';
 
-const JWT_SECRET = process.env.JWT_SECRET?.trim();
+let JWT_SECRET = process.env.JWT_SECRET?.trim();
 if (!JWT_SECRET) {
-  console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
-  process.exit(1);
+  if (IS_PLATFORM) {
+    // In local/self-hosted mode, generate a random secret (auth is bypassed anyway)
+    JWT_SECRET = crypto.randomBytes(32).toString('hex');
+  } else {
+    console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
+    process.exit(1);
+  }
 }
 
 // Optional static API key middleware
@@ -18,17 +24,21 @@ const validateApiKey = (req, res, next) => {
   next();
 };
 
-// Extract JWT from request: cookie → Bearer header → query param
+// Extract JWT from request: cookie → Bearer header → query param (SSE only)
 const extractToken = (req) => {
-  // 1. httpOnly cookie (browser sessions)
+  // 1. httpOnly cookie (browser sessions — primary auth method)
   if (req.cookies?.session) return req.cookies.session;
 
-  // 2. Bearer header (API clients, MCP, backward compat)
+  // 2. Bearer header (API clients, MCP)
   const authHeader = req.headers['authorization'];
   if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
 
-  // 3. Query param (SSE EventSource fallback)
-  if (req.query?.token) return req.query.token;
+  // 3. Query param — ONLY for SSE EventSource (which cannot set custom headers)
+  // Restricted to GET requests with Accept: text/event-stream to minimize exposure
+  if (req.query?.token && req.method === 'GET' &&
+      (req.headers.accept || '').includes('text/event-stream')) {
+    return req.query.token;
+  }
 
   return null;
 };

package/server/openrouter.js

@@ -0,0 +1,137 @@
+/**
+ * OpenRouter Integration
+ *
+ * Lightweight wrapper for OpenRouter API, which provides access to
+ * hundreds of AI models (GPT-4, Claude, Gemini, Llama, Mistral, etc.)
+ * through a single API key and endpoint.
+ *
+ * Users provide their own OpenRouter API key via BYOK settings.
+ */
+
+const OPENROUTER_BASE_URL = 'https://openrouter.ai/api/v1';
+
+// Popular models available on OpenRouter
+export const OPENROUTER_MODELS = {
+  OPTIONS: [
+    { value: 'anthropic/claude-sonnet-4', label: 'Claude Sonnet 4' },
+    { value: 'anthropic/claude-opus-4', label: 'Claude Opus 4' },
+    { value: 'openai/gpt-4o', label: 'GPT-4o' },
+    { value: 'openai/o3', label: 'O3' },
+    { value: 'google/gemini-2.5-pro', label: 'Gemini 2.5 Pro' },
+    { value: 'meta-llama/llama-4-maverick', label: 'Llama 4 Maverick' },
+    { value: 'mistralai/mistral-large', label: 'Mistral Large' },
+    { value: 'deepseek/deepseek-r1', label: 'DeepSeek R1' },
+  ],
+  DEFAULT: 'anthropic/claude-sonnet-4',
+};
+
+/**
+ * Query OpenRouter API with streaming support
+ * @param {string} message - User message
+ * @param {Object} options - { model, apiKey, systemPrompt }
+ * @param {Object} writer - WebSocketWriter or SSEStreamWriter
+ */
+export async function queryOpenRouter(message, options = {}, writer) {
+  const {
+    model = OPENROUTER_MODELS.DEFAULT,
+    apiKey,
+    systemPrompt,
+    sessionId,
+  } = options;
+
+  if (!apiKey) {
+    writer.send({
+      type: 'error',
+      error: 'OpenRouter API key required. Add your key in Settings > AI Providers.',
+    });
+    return;
+  }
+
+  // Generate session ID
+  const sid = sessionId || `or-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+  writer.send({ type: 'session-created', sessionId: sid });
+
+  const messages = [];
+  if (systemPrompt) {
+    messages.push({ role: 'system', content: systemPrompt });
+  }
+  messages.push({ role: 'user', content: message });
+
+  try {
+    const response = await fetch(`${OPENROUTER_BASE_URL}/chat/completions`, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${apiKey}`,
+        'Content-Type': 'application/json',
+        'HTTP-Referer': 'https://cli.upfyn.com',
+        'X-Title': 'Upfyn-Code',
+      },
+      body: JSON.stringify({
+        model,
+        messages,
+        stream: true,
+      }),
+    });
+
+    if (!response.ok) {
+      const errBody = await response.text();
+      let errMsg = `OpenRouter API error (${response.status})`;
+      try {
+        const parsed = JSON.parse(errBody);
+        errMsg = parsed.error?.message || errMsg;
+      } catch {}
+      writer.send({ type: 'error', error: errMsg, sessionId: sid });
+      return;
+    }
+
+    // Stream SSE response
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = '';
+    let fullContent = '';
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split('\n');
+      buffer = lines.pop() || '';
+
+      for (const line of lines) {
+        if (!line.startsWith('data: ')) continue;
+        const data = line.slice(6).trim();
+        if (data === '[DONE]') break;
+
+        try {
+          const parsed = JSON.parse(data);
+          const delta = parsed.choices?.[0]?.delta?.content;
+          if (delta) {
+            fullContent += delta;
+            writer.send({
+              type: 'assistant',
+              content: delta,
+              sessionId: sid,
+            });
+          }
+        } catch {}
+      }
+    }
+
+    // Send completion
+    writer.send({
+      type: 'result',
+      subtype: 'success',
+      sessionId: sid,
+      content: fullContent,
+      model,
+      provider: 'openrouter',
+    });
+  } catch (error) {
+    writer.send({
+      type: 'error',
+      error: `OpenRouter request failed: ${error.message}`,
+      sessionId: sid,
+    });
+  }
+}

package/server/relay-client.js

@@ -14,7 +14,7 @@ import WebSocket from 'ws';
 import os from 'os';
 import fs from 'fs';
 import path from 'path';
-import { spawn } from 'child_process';
+import { spawn, execSync } from 'child_process';
 import { promises as fsPromises } from 'fs';
 import crypto from 'crypto';
 import {
@@ -99,7 +99,7 @@ async function handleRelayCommand(data, ws) {
     switch (action) {
       case 'claude-query': {
         const { command, options } = data;
-        logRelayEvent('🤖', `Claude query: ${command?.slice(0, 60)}...`, 'cyan');
+        logRelayEvent('>', `Claude query: ${command?.slice(0, 60)}...`, 'cyan');
 
         const args = ['--print'];
         if (options?.projectPath) args.push('--cwd', options.projectPath);
@@ -137,9 +137,107 @@ async function handleRelayCommand(data, ws) {
         break;
       }
 
+      case 'codex-query': {
+        const { command, options } = data;
+        logRelayEvent('>', `Codex query: ${command?.slice(0, 60)}...`, 'cyan');
+
+        const codexArgs = ['--quiet'];
+        if (options?.projectPath || options?.cwd) {
+          codexArgs.push('--cwd', options.projectPath || options.cwd);
+        }
+        if (options?.model) codexArgs.push('--model', options.model);
+
+        const codexProc = spawn('codex', [...codexArgs, command || ''], {
+          shell: true,
+          cwd: options?.projectPath || options?.cwd || os.homedir(),
+          env: process.env,
+        });
+
+        codexProc.stdout.on('data', (chunk) => {
+          ws.send(JSON.stringify({
+            type: 'relay-stream',
+            requestId,
+            data: { type: 'codex-response', content: chunk.toString() }
+          }));
+        });
+
+        codexProc.stderr.on('data', (chunk) => {
+          ws.send(JSON.stringify({
+            type: 'relay-stream',
+            requestId,
+            data: { type: 'codex-error', content: chunk.toString() }
+          }));
+        });
+
+        codexProc.on('close', (code) => {
+          ws.send(JSON.stringify({
+            type: 'relay-complete',
+            requestId,
+            exitCode: code
+          }));
+        });
+        break;
+      }
+
+      case 'cursor-query': {
+        const { command, options } = data;
+        logRelayEvent('>', `Cursor query: ${command?.slice(0, 60)}...`, 'cyan');
+
+        const cursorArgs = [];
+        if (options?.projectPath || options?.cwd) {
+          cursorArgs.push('--cwd', options.projectPath || options.cwd);
+        }
+        if (options?.model) cursorArgs.push('--model', options.model);
+
+        const cursorProc = spawn('cursor-agent', [...cursorArgs, command || ''], {
+          shell: true,
+          cwd: options?.projectPath || options?.cwd || os.homedir(),
+          env: process.env,
+        });
+
+        cursorProc.stdout.on('data', (chunk) => {
+          ws.send(JSON.stringify({
+            type: 'relay-stream',
+            requestId,
+            data: { type: 'cursor-response', content: chunk.toString() }
+          }));
+        });
+
+        cursorProc.stderr.on('data', (chunk) => {
+          ws.send(JSON.stringify({
+            type: 'relay-stream',
+            requestId,
+            data: { type: 'cursor-error', content: chunk.toString() }
+          }));
+        });
+
+        cursorProc.on('close', (code) => {
+          ws.send(JSON.stringify({
+            type: 'relay-complete',
+            requestId,
+            exitCode: code
+          }));
+        });
+        break;
+      }
+
+      case 'detect-agents': {
+        const agents = detectInstalledAgents();
+        ws.send(JSON.stringify({
+          type: 'relay-response',
+          requestId,
+          data: { agents }
+        }));
+        break;
+      }
+
       case 'shell-command': {
         const { command: cmd, cwd } = data;
-        logRelayEvent('⚡', `Shell: ${cmd?.slice(0, 50)}`, 'dim');
+        // Block dangerous shell patterns
+        if (!cmd || typeof cmd !== 'string') throw new Error('Invalid command');
+        const dangerous = ['rm -rf /', 'mkfs', 'dd if=', ':(){', 'fork bomb', '> /dev/sd'];
+        if (dangerous.some(d => cmd.includes(d))) throw new Error('Command blocked for safety');
+        logRelayEvent('$', `Shell: ${cmd?.slice(0, 50)}`, 'dim');
         const result = await execCommand(cmd, [], { cwd: cwd || os.homedir(), timeout: 60000 });
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { stdout: result } }));
         break;
@@ -147,16 +245,26 @@ async function handleRelayCommand(data, ws) {
 
       case 'file-read': {
         const { filePath } = data;
-        logRelayEvent('📄', `Read: ${filePath}`, 'dim');
-        const content = await fsPromises.readFile(filePath, 'utf8');
+        if (!filePath || typeof filePath !== 'string') throw new Error('Invalid file path');
+        // Block reading sensitive system files
+        const normalizedPath = path.resolve(filePath);
+        const blocked = ['/etc/shadow', '/etc/passwd', '.ssh/id_rsa', '.env'];
+        if (blocked.some(b => normalizedPath.includes(b))) throw new Error('Access denied');
+        logRelayEvent('R', `Read: ${filePath}`, 'dim');
+        const content = await fsPromises.readFile(normalizedPath, 'utf8');
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { content } }));
         break;
       }
 
       case 'file-write': {
         const { filePath: fp, content: fileContent } = data;
-        logRelayEvent('💾', `Write: ${fp}`, 'dim');
-        await fsPromises.writeFile(fp, fileContent, 'utf8');
+        if (!fp || typeof fp !== 'string') throw new Error('Invalid file path');
+        // Block writing to sensitive locations
+        const normalizedFp = path.resolve(fp);
+        const blockedDirs = ['/etc/', '/usr/bin/', '/usr/sbin/', 'System32', '.ssh/'];
+        if (blockedDirs.some(d => normalizedFp.includes(d))) throw new Error('Access denied');
+        logRelayEvent('W', `Write: ${fp}`, 'dim');
+        await fsPromises.writeFile(normalizedFp, fileContent, 'utf8');
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { success: true } }));
         break;
       }
@@ -170,7 +278,7 @@ async function handleRelayCommand(data, ws) {
 
       case 'git-operation': {
         const { gitCommand, cwd: gitCwd } = data;
-        logRelayEvent('🔀', `Git: ${gitCommand}`, 'dim');
+        logRelayEvent('G', `Git: ${gitCommand}`, 'dim');
         const result = await execCommand('git', [gitCommand], { cwd: gitCwd });
         ws.send(JSON.stringify({ type: 'relay-response', requestId, data: { stdout: result } }));
         break;
@@ -215,7 +323,57 @@ async function buildFileTree(dirPath, maxDepth, currentDepth = 0) {
 }
 
 /**
- * Main connect function
+ * Detect which AI CLI agents are installed on this machine
+ * Returns an object with agent names and their availability
+ */
+function detectInstalledAgents() {
+  const isWindows = process.platform === 'win32';
+  const whichCmd = isWindows ? 'where' : 'which';
+
+  const agents = [
+    { name: 'claude', binary: 'claude', label: 'Claude Code' },
+    { name: 'codex', binary: 'codex', label: 'OpenAI Codex' },
+    { name: 'cursor', binary: 'cursor-agent', label: 'Cursor Agent' },
+  ];
+
+  const detected = {};
+  for (const agent of agents) {
+    try {
+      const result = execSync(`${whichCmd} ${agent.binary}`, { stdio: 'pipe', timeout: 5000 }).toString().trim();
+      detected[agent.name] = {
+        installed: true,
+        path: result.split('\n')[0].trim(),
+        label: agent.label,
+      };
+    } catch {
+      detected[agent.name] = {
+        installed: false,
+        label: agent.label,
+      };
+    }
+  }
+  return detected;
+}
+
+/**
+ * Create WebSocket connection with optional API key in handshake
+ */
+function createRelayConnection(wsUrl, config = {}) {
+  const headers = {};
+  // Send API key in WebSocket headers if available
+  if (config.anthropicApiKey) {
+    headers['x-anthropic-api-key'] = config.anthropicApiKey;
+  }
+  headers['x-upfyn-version'] = VERSION;
+  headers['x-upfyn-machine'] = os.hostname();
+  headers['x-upfyn-platform'] = process.platform;
+  headers['x-upfyn-cwd'] = process.cwd();
+
+  return new WebSocket(wsUrl, { headers });
+}
+
+/**
+ * Main connect function (interactive — with animation and logging)
  */
 export async function connectToServer(options = {}) {
   const config = loadConfig();
@@ -224,9 +382,9 @@ export async function connectToServer(options = {}) {
 
   if (!relayKey) {
     console.log('');
-    console.log(`  ${c.red('✗')} No relay key provided.`);
+    console.log(`  ${c.red('FAIL')} No relay key provided.`);
     console.log('');
-    console.log(`  ${c.gray('Get your relay token from the web UI:')}  `);
+    console.log(`  ${c.gray('Get your relay token from the web UI:')}`);
     console.log(`  ${c.dim('1.')} Sign in at ${c.cyan('https://cli.upfyn.com')}`);
     console.log(`  ${c.dim('2.')} Click ${c.bright('Connect')} button`);
     console.log(`  ${c.dim('3.')} Copy the command and run it here`);
@@ -256,7 +414,7 @@ export async function connectToServer(options = {}) {
   const MAX_RECONNECT = 10;
 
   function connect() {
-    const ws = new WebSocket(wsUrl);
+    const ws = createRelayConnection(wsUrl, config);
 
     ws.on('open', () => {
       reconnectAttempts = 0;
@@ -273,7 +431,35 @@ export async function connectToServer(options = {}) {
           const nameMatch = data.message?.match(/Connected as (.+?)\./);
           const username = nameMatch ? nameMatch[1] : 'Unknown';
           showConnectionBanner(username, serverUrl);
-          logRelayEvent('🟢', 'Relay active — waiting for commands...', 'green');
+
+          // Detect and report installed agents
+          const agents = detectInstalledAgents();
+          const installed = Object.entries(agents)
+            .filter(([, info]) => info.installed)
+            .map(([name, info]) => info.label);
+          const missing = Object.entries(agents)
+            .filter(([, info]) => !info.installed)
+            .map(([name, info]) => info.label);
+
+          if (installed.length > 0) {
+            logRelayEvent('+', `Agents found: ${installed.join(', ')}`, 'green');
+          }
+          if (missing.length > 0) {
+            logRelayEvent('~', `Not found: ${missing.join(', ')} (install to enable)`, 'yellow');
+          }
+
+          // Send agent capabilities to server
+          ws.send(JSON.stringify({
+            type: 'agent-capabilities',
+            agents,
+            machine: {
+              hostname: os.hostname(),
+              platform: process.platform,
+              cwd: process.cwd(),
+            }
+          }));
+
+          logRelayEvent('*', 'Relay active -- waiting for commands...', 'green');
           return;
         }
 
@@ -289,23 +475,23 @@ export async function connectToServer(options = {}) {
           return;
         }
       } catch (e) {
-        logRelayEvent('⚠', `Parse error: ${e.message}`, 'red');
+        logRelayEvent('!', `Parse error: ${e.message}`, 'red');
       }
     });
 
     ws.on('close', (code) => {
       if (code === 1000) {
-        logRelayEvent('⚪', 'Disconnected gracefully.', 'dim');
+        logRelayEvent('-', 'Disconnected gracefully.', 'dim');
         process.exit(0);
       }
 
       reconnectAttempts++;
       if (reconnectAttempts <= MAX_RECONNECT) {
         const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), 30000);
-        logRelayEvent('🔄', `Connection lost. Reconnecting in ${delay / 1000}s... (${reconnectAttempts}/${MAX_RECONNECT})`, 'yellow');
+        logRelayEvent('~', `Connection lost. Reconnecting in ${delay / 1000}s... (${reconnectAttempts}/${MAX_RECONNECT})`, 'yellow');
         setTimeout(connect, delay);
       } else {
-        logRelayEvent('🔴', 'Max reconnection attempts reached. Exiting.', 'red');
+        logRelayEvent('X', 'Max reconnection attempts reached. Exiting.', 'red');
         process.exit(1);
       }
     });
@@ -332,7 +518,65 @@ export async function connectToServer(options = {}) {
   // Graceful shutdown
   process.on('SIGINT', () => {
     console.log('');
-    logRelayEvent('⚪', 'Disconnecting...', 'dim');
+    logRelayEvent('-', 'Disconnecting...', 'dim');
     process.exit(0);
   });
 }
+
+/**
+ * Background connect function (silent — used when uc launches Claude Code)
+ * Runs relay in the background without animation or user-facing output.
+ */
+export function connectToServerBackground(options = {}) {
+  const config = loadConfig();
+  const serverUrl = options.server || config.server;
+  const relayKey = options.key || config.relayKey;
+
+  if (!serverUrl || !relayKey) return;
+
+  const wsUrl = serverUrl.replace(/^http/, 'ws') + '/relay?token=' + encodeURIComponent(relayKey);
+
+  let reconnectAttempts = 0;
+  const MAX_RECONNECT = 5;
+
+  function connect() {
+    const ws = createRelayConnection(wsUrl, config);
+
+    ws.on('message', (rawMessage) => {
+      try {
+        const data = JSON.parse(rawMessage);
+        if (data.type === 'relay-command') {
+          handleRelayCommand(data, ws);
+        }
+      } catch { /* ignore */ }
+    });
+
+    ws.on('open', () => {
+      reconnectAttempts = 0;
+    });
+
+    ws.on('close', (code) => {
+      if (code === 1000) return;
+      reconnectAttempts++;
+      if (reconnectAttempts <= MAX_RECONNECT) {
+        const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), 30000);
+        setTimeout(connect, delay);
+      }
+    });
+
+    ws.on('error', () => {
+      // silent — close handler will reconnect
+    });
+
+    // Heartbeat
+    const heartbeat = setInterval(() => {
+      if (ws.readyState === 1) {
+        ws.send(JSON.stringify({ type: 'ping' }));
+      } else {
+        clearInterval(heartbeat);
+      }
+    }, 30000);
+  }
+
+  connect();
+}

package/server/routes/agent.js

@@ -4,15 +4,34 @@ import path from 'path';
 import os from 'os';
 import { promises as fs } from 'fs';
 import crypto from 'crypto';
-import { userDb, apiKeysDb, githubTokensDb } from '../database/db.js';
+import { userDb, apiKeysDb, githubTokensDb, credentialsDb } from '../database/db.js';
 import { addProjectManually } from '../projects.js';
 import { queryClaudeSDK } from '../claude-sdk.js';
 import { spawnCursor } from '../cursor-cli.js';
 import { queryCodex } from '../openai-codex.js';
 import { Octokit } from '@octokit/rest';
 import { CLAUDE_MODELS, CURSOR_MODELS, CODEX_MODELS } from '../../shared/modelConstants.js';
+import { queryOpenRouter, OPENROUTER_MODELS } from '../openrouter.js';
 import { IS_PLATFORM } from '../constants/config.js';
 
+// BYOK helper: get user's stored API key for a provider
+async function getUserProviderKey(userId, providerType) {
+    if (!userId) return null;
+    try {
+        const creds = await credentialsDb.getCredentials(userId, providerType);
+        const active = creds.find(c => c.is_active);
+        return active?.credential_value || null;
+    } catch { return null; }
+}
+
+async function withUserApiKey(envKey, userKey, fn) {
+    if (!userKey) return fn();
+    const prev = process.env[envKey];
+    process.env[envKey] = userKey;
+    try { return await fn(); }
+    finally { if (prev !== undefined) process.env[envKey] = prev; else delete process.env[envKey]; }
+}
+
 const router = express.Router();
 
 /**
@@ -939,17 +958,22 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       });
     }
 
-    // Start the appropriate session
+    // Start the appropriate session (with BYOK key injection where applicable)
+    const userId = req.user?.id;
+
     if (provider === 'claude') {
       console.log('🤖 Starting Claude SDK session');
-
-      await queryClaudeSDK(message.trim(), {
-        projectPath: finalProjectPath,
-        cwd: finalProjectPath,
-        sessionId: null, // New session
-        model: model,
-        permissionMode: 'bypassPermissions' // Bypass all permissions for API calls
-      }, writer);
+      const userKey = await getUserProviderKey(userId, 'anthropic_key');
+
+      await withUserApiKey('ANTHROPIC_API_KEY', userKey, () =>
+        queryClaudeSDK(message.trim(), {
+          projectPath: finalProjectPath,
+          cwd: finalProjectPath,
+          sessionId: null,
+          model: model,
+          permissionMode: 'bypassPermissions'
+        }, writer)
+      );
 
     } else if (provider === 'cursor') {
       console.log('🖱️ Starting Cursor CLI session');
@@ -957,19 +981,30 @@ router.post('/', validateExternalApiKey, async (req, res) => {
       await spawnCursor(message.trim(), {
         projectPath: finalProjectPath,
         cwd: finalProjectPath,
-        sessionId: null, // New session
+        sessionId: null,
         model: model || undefined,
-        skipPermissions: true // Bypass permissions for Cursor
+        skipPermissions: true
       }, writer);
     } else if (provider === 'codex') {
       console.log('🤖 Starting Codex SDK session');
-
-      await queryCodex(message.trim(), {
-        projectPath: finalProjectPath,
-        cwd: finalProjectPath,
-        sessionId: null,
-        model: model || CODEX_MODELS.DEFAULT,
-        permissionMode: 'bypassPermissions'
+      const userKey = await getUserProviderKey(userId, 'openai_key');
+
+      await withUserApiKey('OPENAI_API_KEY', userKey, () =>
+        queryCodex(message.trim(), {
+          projectPath: finalProjectPath,
+          cwd: finalProjectPath,
+          sessionId: null,
+          model: model || CODEX_MODELS.DEFAULT,
+          permissionMode: 'bypassPermissions'
+        }, writer)
+      );
+    } else if (provider === 'openrouter') {
+      console.log('🌐 Starting OpenRouter session');
+      const userKey = await getUserProviderKey(userId, 'openrouter_key');
+
+      await queryOpenRouter(message.trim(), {
+        model: model || OPENROUTER_MODELS.DEFAULT,
+        apiKey: userKey,
       }, writer);
     }