upfynai-code 3.0.4 → 3.1.0

package/src/mcp.js

@@ -0,0 +1,57 @@
+import chalk from 'chalk';
+import { readConfig } from './config.js';
+import { getToken, validateToken } from './auth.js';
+
+/**
+ * Print MCP configuration for Claude / Cursor / other AI tools.
+ * Optionally accepts --server and --key overrides.
+ */
+export async function mcp(options = {}) {
+  const config = readConfig();
+  const serverUrl = options.server || config.serverUrl;
+  let relayKey = options.key;
+
+  // If no key provided, fetch one using auth token
+  if (!relayKey) {
+    const token = getToken();
+    if (!token) {
+      console.log(chalk.yellow('\n  No account found. Run `uc login` first.\n'));
+      process.exit(1);
+    }
+
+    const user = await validateToken();
+    if (!user) {
+      console.log(chalk.yellow('\n  Session expired. Run `uc login` to re-authenticate.\n'));
+      process.exit(1);
+    }
+
+    try {
+      const res = await fetch(`${serverUrl}/api/auth/connect-token`, {
+        headers: { Authorization: `Bearer ${token}` },
+      });
+      if (!res.ok) throw new Error('Failed to get connect token');
+      const data = await res.json();
+      relayKey = data.token;
+    } catch (err) {
+      console.log(chalk.red('\n  Could not get connection token. Check your network and try again.\n'));
+      process.exit(1);
+    }
+  }
+
+  const mcpConfig = {
+    mcpServers: {
+      'upfynai-code': {
+        url: `${serverUrl}/mcp`,
+        headers: {
+          Authorization: `Bearer ${relayKey}`,
+        },
+      },
+    },
+  };
+
+  console.log(chalk.bold('\n  Upfyn-Code — MCP Integration\n'));
+  console.log(chalk.dim('  Add this to your Claude / Cursor MCP settings:\n'));
+  console.log(chalk.white(JSON.stringify(mcpConfig, null, 2)));
+  console.log('');
+  console.log(chalk.dim('  The JSON above contains your MCP URL and authorization header.\n'));
+}

package/src/permissions.js

@@ -0,0 +1,140 @@
+/**
+ * Permission-Gated Tool Execution
+ * Ported from opencode-ai/opencode internal/permission/permission.go
+ *
+ * Splits relay actions into safe (auto-approve) and dangerous (require browser approval).
+ * Permission requests are sent to the server → browser, and we wait for the response.
+ */
+
+// Safe actions — auto-approved, read-only (opencode pattern: tools without permission flag)
+const SAFE_ACTIONS = new Set([
+  'file-read',
+  'file-tree',
+  'browse-dirs',
+  'validate-path',
+  'detect-agents',
+]);
+
+// Dangerous actions — require user approval (opencode pattern: tools with permission flag)
+const DANGEROUS_ACTIONS = new Set([
+  'shell-command',
+  'file-write',
+  'create-folder',
+  'git-operation',
+]);
+
+// Safe shell command prefixes — auto-approved even within shell-command
+// (opencode pattern: safe bash commands bypass permission)
+const SAFE_SHELL_PREFIXES = [
+  'ls', 'dir', 'pwd', 'echo', 'cat', 'head', 'tail', 'wc',
+  'git status', 'git log', 'git diff', 'git branch', 'git remote',
+  'node --version', 'npm --version', 'python --version',
+  'which', 'where', 'type', 'whoami', 'hostname',
+  'date', 'uptime', 'df', 'free',
+];
+
+// Pending permission requests: requestId → { resolve }
+const pendingPermissions = new Map();
+
+/**
+ * Check if an action needs user permission.
+ * @param {string} action - Relay action type
+ * @param {object} payload - Action payload
+ * @returns {boolean}
+ */
+export function needsPermission(action, payload) {
+  if (SAFE_ACTIONS.has(action)) return false;
+  if (!DANGEROUS_ACTIONS.has(action)) return false; // unknown actions handled elsewhere
+
+  // Shell commands: check if it's a safe read-only command
+  if (action === 'shell-command' && payload?.command) {
+    const cmd = payload.command.trim().toLowerCase();
+    if (SAFE_SHELL_PREFIXES.some(prefix => cmd.startsWith(prefix))) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+/**
+ * Request permission from the browser via the relay WebSocket.
+ * Blocks until the user approves or denies.
+ *
+ * @param {WebSocket} ws - Relay WebSocket connection
+ * @param {string} requestId - Relay request ID
+ * @param {string} action - Action being requested
+ * @param {object} payload - Action payload
+ * @param {number} timeoutMs - Timeout for waiting (default 60s)
+ * @returns {Promise<boolean>} - true if approved, false if denied
+ */
+export function requestPermission(ws, requestId, action, payload, timeoutMs = 60000) {
+  return new Promise((resolve) => {
+    const permId = `perm-${requestId}`;
+
+    const timeout = setTimeout(() => {
+      pendingPermissions.delete(permId);
+      resolve(false); // Timeout = deny
+    }, timeoutMs);
+
+    pendingPermissions.set(permId, {
+      resolve: (approved) => {
+        clearTimeout(timeout);
+        pendingPermissions.delete(permId);
+        resolve(approved);
+      },
+    });
+
+    // Send permission request to server → browser
+    ws.send(JSON.stringify({
+      type: 'relay-permission-request',
+      requestId,
+      permissionId: permId,
+      action,
+      description: describeAction(action, payload),
+      payload: sanitizePayload(action, payload),
+    }));
+  });
+}
+
+/**
+ * Handle a permission response from the server.
+ * @param {object} data - { permissionId, approved }
+ */
+export function handlePermissionResponse(data) {
+  const pending = pendingPermissions.get(data.permissionId);
+  if (pending) {
+    pending.resolve(Boolean(data.approved));
+  }
+}
+
+/**
+ * Generate a human-readable description of the action.
+ */
+function describeAction(action, payload) {
+  switch (action) {
+    case 'shell-command':
+      return `Execute command: ${payload?.command || '(unknown)'}`;
+    case 'file-write':
+      return `Write to file: ${payload?.filePath || '(unknown)'}`;
+    case 'create-folder':
+      return `Create folder: ${payload?.folderPath || '(unknown)'}`;
+    case 'git-operation':
+      return `Run git: ${payload?.gitCommand || '(unknown)'}`;
+    default:
+      return `${action}: ${JSON.stringify(payload || {}).slice(0, 200)}`;
+  }
+}
+
+/**
+ * Sanitize payload for display — remove large content fields.
+ */
+function sanitizePayload(action, payload) {
+  if (!payload) return {};
+  const safe = { ...payload };
+  // Don't send file content to browser for permission display
+  if (safe.content && safe.content.length > 500) {
+    safe.content = safe.content.slice(0, 500) + `... (${safe.content.length} chars total)`;
+  }
+  return safe;
+}

package/src/persistent-shell.js

@@ -0,0 +1,261 @@
+/**
+ * Persistent Shell Singleton
+ * Ported from opencode-ai/opencode internal/llm/tools/shell/shell.go
+ *
+ * Maintains a single long-running shell process across commands.
+ * - Commands are queued and executed sequentially
+ * - Environment and cwd persist between commands
+ * - Child processes can be killed on abort
+ * - Shell respawns automatically if it dies
+ */
+import { spawn, execSync } from 'child_process';
+import os from 'os';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+let shellInstance = null;
+
+/**
+ * Get or create the persistent shell singleton.
+ * @param {string} workingDir - Initial working directory
+ * @returns {PersistentShell}
+ */
+export function getPersistentShell(workingDir) {
+  if (!shellInstance || !shellInstance.isAlive) {
+    shellInstance = new PersistentShell(workingDir || os.homedir());
+  }
+  return shellInstance;
+}
+
+class PersistentShell {
+  constructor(cwd) {
+    this.cwd = cwd;
+    this.isAlive = false;
+    this.commandQueue = [];
+    this.processing = false;
+    this.proc = null;
+    this.stdin = null;
+    this._start();
+  }
+
+  _start() {
+    const isWin = process.platform === 'win32';
+    const shellPath = isWin
+      ? process.env.COMSPEC || 'cmd.exe'
+      : process.env.SHELL || '/bin/bash';
+    const shellArgs = isWin ? ['/Q'] : ['-l'];
+
+    this.proc = spawn(shellPath, shellArgs, {
+      cwd: this.cwd,
+      env: { ...process.env, GIT_EDITOR: 'true' },
+      stdio: ['pipe', 'pipe', 'pipe'],
+      shell: false,
+    });
+
+    this.stdin = this.proc.stdin;
+    this.isAlive = true;
+
+    this.proc.on('close', () => {
+      this.isAlive = false;
+      // Reject any queued commands
+      for (const queued of this.commandQueue) {
+        queued.reject(new Error('Shell process died'));
+      }
+      this.commandQueue = [];
+    });
+
+    this.proc.on('error', () => {
+      this.isAlive = false;
+    });
+  }
+
+  /**
+   * Execute a command in the persistent shell.
+   * Queued and executed sequentially (opencode pattern: commandQueue channel).
+   *
+   * @param {string} command - Shell command to execute
+   * @param {object} opts - { timeoutMs, abortSignal }
+   * @returns {Promise<{ stdout, stderr, exitCode, interrupted, cwd }>}
+   */
+  exec(command, opts = {}) {
+    return new Promise((resolve, reject) => {
+      this.commandQueue.push({ command, opts, resolve, reject });
+      this._processNext();
+    });
+  }
+
+  async _processNext() {
+    if (this.processing || this.commandQueue.length === 0) return;
+    this.processing = true;
+
+    const { command, opts, resolve, reject } = this.commandQueue.shift();
+
+    try {
+      const result = await this._execCommand(command, opts);
+      resolve(result);
+    } catch (err) {
+      reject(err);
+    } finally {
+      this.processing = false;
+      // Process next in queue
+      if (this.commandQueue.length > 0) {
+        this._processNext();
+      }
+    }
+  }
+
+  async _execCommand(command, { timeoutMs = 60000, abortSignal } = {}) {
+    if (!this.isAlive) {
+      throw new Error('Shell is not alive');
+    }
+
+    const isWin = process.platform === 'win32';
+    const tmpDir = os.tmpdir();
+    const ts = Date.now() + '-' + Math.random().toString(36).slice(2, 8);
+    const stdoutFile = path.join(tmpDir, `uc-stdout-${ts}`);
+    const stderrFile = path.join(tmpDir, `uc-stderr-${ts}`);
+    const statusFile = path.join(tmpDir, `uc-status-${ts}`);
+    const cwdFile = path.join(tmpDir, `uc-cwd-${ts}`);
+
+    try {
+      // Build the shell command that redirects output to temp files
+      // Exact same pattern as opencode's shell.go execCommand
+      let fullCommand;
+      if (isWin) {
+        // Windows cmd.exe variant
+        fullCommand = [
+          `${command} > "${stdoutFile}" 2> "${stderrFile}"`,
+          `echo %ERRORLEVEL% > "${statusFile}"`,
+          `cd > "${cwdFile}"`,
+        ].join(' & ');
+      } else {
+        // Unix bash variant (identical to opencode)
+        const escaped = command.replace(/'/g, "'\\''");
+        fullCommand = [
+          `eval '${escaped}' < /dev/null > '${stdoutFile}' 2> '${stderrFile}'`,
+          `EXEC_EXIT_CODE=$?`,
+          `pwd > '${cwdFile}'`,
+          `echo $EXEC_EXIT_CODE > '${statusFile}'`,
+        ].join('\n');
+      }
+
+      this.stdin.write(fullCommand + '\n');
+
+      // Poll for status file (same polling pattern as opencode)
+      let interrupted = false;
+      const startTime = Date.now();
+
+      await new Promise((done, fail) => {
+        const poll = setInterval(async () => {
+          // Check abort
+          if (abortSignal?.aborted) {
+            this.killChildren();
+            interrupted = true;
+            clearInterval(poll);
+            done();
+            return;
+          }
+
+          // Check timeout
+          if (timeoutMs > 0 && Date.now() - startTime > timeoutMs) {
+            this.killChildren();
+            interrupted = true;
+            clearInterval(poll);
+            done();
+            return;
+          }
+
+          // Check if status file exists and has content
+          try {
+            const stat = await fs.stat(statusFile);
+            if (stat.size > 0) {
+              clearInterval(poll);
+              done();
+            }
+          } catch {
+            // File doesn't exist yet
+          }
+        }, 50);
+      });
+
+      // Read results from temp files
+      const stdout = await this._readFileOrEmpty(stdoutFile);
+      const stderr = await this._readFileOrEmpty(stderrFile);
+      const exitCodeStr = await this._readFileOrEmpty(statusFile);
+      const newCwd = await this._readFileOrEmpty(cwdFile);
+
+      let exitCode = 0;
+      if (exitCodeStr.trim()) {
+        exitCode = parseInt(exitCodeStr.trim(), 10) || 0;
+      } else if (interrupted) {
+        exitCode = 143;
+      }
+
+      if (newCwd.trim()) {
+        this.cwd = newCwd.trim();
+      }
+
+      return {
+        stdout: stdout,
+        stderr: interrupted ? stderr + '\nCommand execution timed out or was interrupted' : stderr,
+        exitCode,
+        interrupted,
+        cwd: this.cwd,
+      };
+    } finally {
+      // Cleanup temp files
+      await Promise.all([
+        fs.unlink(stdoutFile).catch(() => {}),
+        fs.unlink(stderrFile).catch(() => {}),
+        fs.unlink(statusFile).catch(() => {}),
+        fs.unlink(cwdFile).catch(() => {}),
+      ]);
+    }
+  }
+
+  /**
+   * Kill child processes of the shell (opencode pattern: killChildren).
+   * On Unix: pgrep -P <pid> → SIGTERM each child.
+   * On Windows: taskkill /PID /T.
+   */
+  killChildren() {
+    if (!this.proc?.pid) return;
+    try {
+      if (process.platform === 'win32') {
+        execSync(`taskkill /PID ${this.proc.pid} /T /F`, { stdio: 'ignore', timeout: 5000 });
+        // Respawn since taskkill kills the parent too on Windows
+        this._start();
+      } else {
+        const output = execSync(`pgrep -P ${this.proc.pid}`, { encoding: 'utf8', timeout: 5000 });
+        for (const line of output.split('\n')) {
+          const pid = parseInt(line.trim(), 10);
+          if (pid > 0) {
+            try { process.kill(pid, 'SIGTERM'); } catch { /* already dead */ }
+          }
+        }
+      }
+    } catch {
+      // pgrep/taskkill failed — no children to kill
+    }
+  }
+
+  /**
+   * Close the persistent shell.
+   */
+  close() {
+    if (!this.isAlive) return;
+    try {
+      this.stdin.write('exit\n');
+      this.proc.kill('SIGTERM');
+    } catch { /* ignore */ }
+    this.isAlive = false;
+  }
+
+  async _readFileOrEmpty(filePath) {
+    try {
+      return await fs.readFile(filePath, 'utf8');
+    } catch {
+      return '';
+    }
+  }
+}

package/src/server.js

@@ -0,0 +1,54 @@
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import { existsSync } from 'fs';
+import express from 'express';
+import { createProxyMiddleware } from 'http-proxy-middleware';
+import open from 'open';
+import chalk from 'chalk';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DIST_DIR = join(__dirname, '..', 'dist');
+
+export async function startServer(port, serverUrl, token) {
+  if (!existsSync(DIST_DIR)) {
+    console.log(chalk.red('\n  Error: No built frontend found at dist/.'));
+    console.log(chalk.dim('  Run the build-frontend script first, or use the default mode (no --local flag).\n'));
+    process.exit(1);
+  }
+
+  const app = express();
+
+  // Proxy API calls to the remote Vercel backend
+  app.use('/api', createProxyMiddleware({
+    target: serverUrl,
+    changeOrigin: true,
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  }));
+
+  // Serve the built React frontend
+  app.use(express.static(DIST_DIR));
+
+  // SPA fallback — serve index.html for all non-API, non-static routes
+  app.get('*', (req, res) => {
+    res.sendFile(join(DIST_DIR, 'index.html'));
+  });
+
+  return new Promise((resolve) => {
+    const server = app.listen(port, async () => {
+      const url = `http://localhost:${port}?token=${encodeURIComponent(token)}`;
+      console.log(chalk.green(`\n  Local server running at ${chalk.bold(`http://localhost:${port}`)}`));
+      console.log(chalk.dim('  API proxy active. Press Ctrl+C to stop.\n'));
+      await open(url);
+      resolve(server);
+    });
+
+    const shutdown = () => {
+      console.log(chalk.dim('\n  Shutting down...'));
+      server.close(() => process.exit(0));
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+  });
+}

package/client/dist/assets/CanvasFullScreen-D1GWQsGL.js

@@ -1 +0,0 @@
-import{u as x,h as p,r as u,j as e}from"./vendor-react-96lCPsRK.js";import{u as f}from"./index-HaY-3pK1.js";import h from"./CanvasWorkspace-D7ORj358.js";import"./vendor-syntax-LS_Nt30I.js";import"./vendor-markdown-CimbIo6Y.js";import"./vendor-icons-GyYE35HP.js";import"./vendor-i18n-DCFGyhQR.js";import"./vendor-canvas-DvHJ_Pn2.js";import"./vendor-mermaid-DucWyDEe.js";function E(){const{projectName:s}=x(),r=p(),{sendMessage:l,latestMessage:m,connectionState:t}=f();if(u.useEffect(()=>{const n=o=>{var c,d;const i=(d=(c=o.target)==null?void 0:c.tagName)==null?void 0:d.toLowerCase();o.key==="Escape"&&i!=="input"&&i!=="textarea"&&r("/")};return window.addEventListener("keydown",n),()=>window.removeEventListener("keydown",n)},[r]),!s)return e.jsx("div",{className:"flex items-center justify-center h-screen bg-background text-muted-foreground",children:"No project selected"});const a=decodeURIComponent(s);return e.jsxs("div",{className:"fixed inset-0 bg-background flex flex-col z-50",children:[e.jsxs("div",{className:"flex items-center justify-between px-4 py-2 border-b border-border/50 bg-card/50 backdrop-blur-sm shrink-0",children:[e.jsxs("div",{className:"flex items-center gap-3",children:[e.jsxs("button",{onClick:()=>r("/"),className:"flex items-center gap-1.5 text-sm text-muted-foreground hover:text-foreground transition-colors",children:[e.jsx("svg",{className:"w-4 h-4",fill:"none",viewBox:"0 0 24 24",stroke:"currentColor",children:e.jsx("path",{strokeLinecap:"round",strokeLinejoin:"round",strokeWidth:2,d:"M15 19l-7-7 7-7"})}),"Back"]}),e.jsx("div",{className:"h-4 w-px bg-border/50"}),e.jsxs("div",{className:"flex items-center gap-2",children:[e.jsx("svg",{className:"w-4 h-4 text-primary",fill:"none",viewBox:"0 0 24 24",stroke:"currentColor",children:e.jsx("path",{strokeLinecap:"round",strokeLinejoin:"round",strokeWidth:2,d:"M4 5a1 1 0 011-1h14a1 1 0 011 1v2a1 1 0 01-1 1H5a1 1 0 01-1-1V5zM4 13a1 1 0 011-1h6a1 1 0 011 1v6a1 1 0 01-1 1H5a1 1 0 01-1-1v-6zM16 13a1 1 0 011-1h2a1 1 0 011 1v6a1 1 0 01-1 1h-2a1 1 0 01-1-1v-6z"})}),e.jsx("span",{className:"text-sm font-medium text-foreground",children:a}),e.jsx("span",{className:"text-[10px] px-1.5 py-0.5 rounded-full bg-primary/10 text-primary border border-primary/20 font-medium",children:"Canvas"})]})]}),e.jsxs("div",{className:"flex items-center gap-2",children:[t!=="connected"&&e.jsxs("div",{className:"flex items-center gap-1.5 text-[10px] px-2 py-0.5 rounded-full border border-amber-500/20 bg-amber-500/5 text-amber-400",children:[e.jsx("div",{className:"w-1.5 h-1.5 bg-amber-400 rounded-full animate-pulse"}),t==="reconnecting"?"Reconnecting...":"Offline"]}),e.jsx("span",{className:"text-[10px] text-muted-foreground",children:"Press Esc to exit"})]})]}),e.jsx("div",{className:"flex-1 min-h-0",children:e.jsx(h,{projectName:a,sendMessage:l,latestMessage:m,isFullScreen:!0})})]})}export{E as default};