vmcode-cli 1.0.0

package/src/utils/validation.py

@@ -0,0 +1,117 @@
+"""Command validation and duplicate detection."""
+
+import os
+import shlex
+
+
+# Commands that overlap with native tools (blocked - use the tool instead)
+BLOCKED_OVERLAPS = {
+    # Code search (use rg tool)
+    "rg", "rg.exe", "ripgrep",
+    
+    # File reading (use read_file tool)
+    "cat", "get-content", "type",
+    
+    # Directory listing (use list_directory tool)
+    "ls", "get-childitem", "dir",
+    
+    # File creation (use create_file tool)
+    "touch", "new-item",
+    
+    # File editing (use edit_file tool)
+    "set-content", "add-content", "echo", "tee",
+}
+
+
+def normalize_for_comparison(command):
+    """Normalize command for duplicate detection."""
+    # Remove shell prefix (e.g., "powershell ") and extra whitespace
+    cmd = command.strip().lower()
+    if cmd.startswith("powershell "):
+        cmd = cmd[11:].strip()
+    return cmd
+
+
+def check_for_duplicate(chat_manager, command):
+    """Check if command was already run and return simple warning.
+
+    Returns:
+        tuple: (is_duplicate, redirect_message)
+    """
+    normalized = normalize_for_comparison(command)
+
+    if normalized in chat_manager.command_history:
+        redirect_msg = (
+            f"exit_code=DUPLICATE\n"
+            f"This exact command was already executed: {command}\n\n"
+            f"The result is already in your conversation history.\n"
+            f"Try a DIFFERENT command with different search terms, "
+            f"different file paths, or a different approach entirely."
+        )
+        return True, redirect_msg
+
+    # Add to history
+    chat_manager.command_history.append(normalized)
+    return False, None
+
+
+def _tokenize_segment(segment):
+    use_posix = os.name != "nt"
+    try:
+        return shlex.split(segment, posix=use_posix)
+    except ValueError:
+        return segment.split()
+
+
+def check_command(command):
+    """Validate command against safety checks.
+
+    Args:
+        command: Command string to validate
+
+    Returns:
+        tuple: (is_safe, reason) - is_safe is True if command is allowed
+               If is_safe is True, the caller should check approval requirements separately
+    """
+    command = command.strip()
+    if not command:
+        return False, "empty command"
+
+    # Strip "powershell " prefix if present (legacy support for Windows users)
+    if command.lower().startswith("powershell "):
+        command = command[len("powershell "):].strip()
+
+    # Block dangerous operators (command chaining and redirection)
+    # Allow && for conditional chaining (stops on error - safer than ; or &)
+    blocked_operators = (";", ">", "<", "`", "|")
+    if any(token in command for token in blocked_operators):
+        return False, "contains disallowed shell operators"
+    
+    # Note: && is allowed for conditional chaining. The agent will display
+    # a warning in debug mode when using && for multi-step commands.
+
+    # After stripping prefix, reject if it still starts with "powershell"
+    if command.lower().startswith("powershell"):
+        return False, "nested powershell invocation"
+
+    # Tokenize and validate command name
+    tokens = _tokenize_segment(command)
+    if not tokens:
+        return False, "empty command"
+
+    cmd_name = tokens[0].lower()
+
+    # Block commands that overlap with native tools
+    if cmd_name in BLOCKED_OVERLAPS:
+        tool_map = {
+            "rg": "rg tool", "rg.exe": "rg tool", "ripgrep": "rg tool",
+            "cat": "read_file tool", "get-content": "read_file tool", "type": "read_file tool",
+            "ls": "list_directory tool", "get-childitem": "list_directory tool", "dir": "list_directory tool",
+            "touch": "create_file tool", "new-item": "create_file tool",
+            "set-content": "edit_file tool", "add-content": "edit_file tool", "echo": "edit_file tool", "tee": "edit_file tool",
+        }
+        tool_suggestion = tool_map.get(cmd_name, "appropriate native tool")
+        return False, f"command '{cmd_name}' overlaps with {tool_suggestion}. Use the native tool instead."
+
+    # Allow all other commands
+    return True, None

package/src/utils/web_search.py

@@ -0,0 +1,71 @@
+"""Web search using DuckDuckGo (no API key required)."""
+
+from ddgs import DDGS
+from exceptions import LLMConnectionError
+
+
+def run_web_search(arguments, console):
+    """Execute web search using DuckDuckGo and return formatted results.
+
+    Args:
+        arguments: {
+            "query": "search terms to look for",
+            "num_results": 5  # optional, number of results (default: 5, max: 10)
+        }
+        console: Rich console for output
+
+    Returns:
+        str: Formatted search results with metadata for model consumption
+
+    Raises:
+        LLMConnectionError: If network search fails
+    """
+    query = arguments.get("query")
+    num_results = arguments.get("num_results", 5)
+
+    if not query:
+        raise LLMConnectionError(
+            "Missing required parameter: query",
+            details={"arguments": arguments}
+        )
+
+    # Validate and clamp num_results between 1 and 10
+    try:
+        num_results = max(1, min(10, int(num_results)))
+    except (ValueError, TypeError):
+        num_results = 5
+
+    try:
+        with DDGS() as ddgs:
+            results = list(ddgs.text(query, max_results=num_results))
+
+        if not results:
+            return "results_found=0\nNo results found.\n\n"
+
+        # Format results for model only (not displayed to console)
+        output_lines = []
+        for idx, result in enumerate(results, 1):
+            title = result.get("title", "Untitled")
+            url = result.get("href", "N/A")
+            body = result.get("body", "No content")
+
+            output_lines.append(f"[{idx}] {title}")
+            output_lines.append(f"URL: {url}")
+            output_lines.append(f"Snippet: {body}")
+            if idx < len(results):
+                output_lines.append("")
+
+        # Build result string with metadata for model
+        result_content = "\n".join(output_lines)
+        return f"results_found={len(results)}\n{result_content}\n\n"
+
+    except LLMConnectionError:
+        # Re-raise our custom exceptions
+        raise
+    except Exception as e:
+        console.print(f"Web search failed: {e}", style="red")
+        raise LLMConnectionError(
+            f"Failed to perform web search",
+            details={"query": query, "original_error": str(e)}
+        )
+

package/vmcode-proxy/.env.example

@@ -0,0 +1,5 @@
+# OpenRouter API Key (get yours at https://openrouter.ai/)
+OPENROUTER_API_KEY=sk-or-your-openrouter-api-key-here
+
+# Port (default: 3000, Vercel will override this)
+PORT=3000

package/vmcode-proxy/README.md

@@ -0,0 +1,235 @@
+# vmCode Proxy Server
+
+Production-ready proxy server for vmCode free tier using OpenRouter's `z-ai/glm-4.5-air:free` model.
+
+## Features
+
+- **Rate Limiting**: Multi-tier protection
+  - 15-minute window: 100 requests per IP
+  - Daily per-IP: 500 requests (free tier)
+  - Daily global: 10,000 requests (hard limit)
+- **Security**: CORS enabled, request validation, 60s timeout
+- **Performance**: Gzip compression, memory cleanup
+- **Monitoring**: `/health` and `/stats` endpoints
+- **Reliability**: Graceful shutdown, error handling
+
+## What This Does
+
+- Holds your OpenRouter API key (never exposed to users)
+- Forwards requests to OpenRouter's free models
+- Allows vmCode users to use the app without configuring API keys
+- Prevents abuse with IP-based rate limiting
+
+## Local Development
+
+```bash
+# Install dependencies
+npm install
+
+# Set up environment variables
+cp .env.example .env
+# Edit .env and add your OpenRouter API key
+
+# Run locally
+npm start
+```
+
+The server will run on `http://localhost:3000`
+
+## Deploy to Vercel
+
+### 1. Install Vercel CLI
+
+```bash
+npm install -g vercel
+```
+
+### 2. Deploy
+
+```bash
+# From the vmcode-proxy directory
+vercel login
+vercel --prod
+```
+
+### 3. Set Environment Variable
+
+```bash
+vercel env add OPENROUTER_API_KEY production
+# Paste your OpenRouter API key when prompted
+```
+
+### 4. Get Your URL
+
+After deployment, Vercel will give you a URL like:
+`https://vmcode-proxy.vercel.app`
+
+## Update vmCode Config
+
+After deploying, update your vmCode config to point to your deployed proxy:
+
+In `config.yaml`:
+```yaml
+VMCODE_FREE_API_BASE: "https://your-deployed-url.vercel.app"
+```
+
+Or update the default in `src/llm/config.py`:
+```python
+"api_base": _CONFIG.get("VMCODE_FREE_API_BASE", "https://your-deployed-url.vercel.app"),
+```
+
+## Testing
+
+### Test the Proxy Directly
+
+```bash
+curl -X POST https://your-deployed-url.vercel.app/chat \
+  -H "Content-Type: application/json" \
+  -d '{
+    "messages": [
+      {"role": "user", "content": "Hello!"}
+    ]
+  }'
+```
+
+### Test Health Endpoint
+
+```bash
+curl https://your-deployed-url.vercel.app/health
+```
+
+## Rate Limiting
+
+The proxy enforces multiple rate limits to prevent abuse:
+
+| Limit | Window | Scope |
+|-------|--------|-------|
+| 100 requests | 15 minutes | Per IP |
+| 500 requests | 24 hours | Per IP (free tier) |
+| 10,000 requests | 24 hours | Global (all IPs) |
+
+When limits are exceeded, the proxy returns HTTP 429 with reset time.
+
+## Monitoring
+
+### Health Endpoint
+
+```bash
+curl https://your-deployed-url.vercel.app/health
+```
+
+Returns:
+```json
+{
+  "status": "ok",
+  "service": "vmcode-proxy",
+  "todayRequests": 1234,
+  "dailyLimit": 10000,
+  "percentUsed": 12,
+  "ipUsage": {
+    "requests": 50,
+    "limit": 500,
+    "percentUsed": 10
+  },
+  "activeIps": 42
+}
+```
+
+### Stats Endpoint
+
+```bash
+curl https://your-deployed-url.vercel.app/stats
+```
+
+Returns detailed usage statistics including per-IP breakdown.
+
+### OpenRouter Dashboard
+
+Check OpenRouter dashboard for:
+- Usage statistics
+- Cost tracking
+- Which free models are being used
+
+Set up billing alerts to control costs:
+- $10, $50, $100 alerts recommended
+
+## Costs
+
+- **Vercel:** Free tier (up to 100GB bandwidth/month)
+- **OpenRouter:** Pay for what you use
+  - Free models: ~$0-0.10 per 1M tokens
+  - Estimated: $0-10/month for first 1000 users
+
+## Troubleshooting
+
+### "OPENROUTER_API_KEY not configured"
+
+Make sure you set the environment variable in Vercel:
+```bash
+vercel env ls
+```
+
+### 500 errors from proxy
+
+Check Vercel logs:
+```bash
+vercel logs
+```
+
+### 429 Rate limit exceeded
+
+The client has exceeded one of the rate limits:
+- Wait until the reset time
+- Reduce request frequency
+- Contact admin if limits need adjustment
+
+### 504 Request timeout
+
+The upstream OpenRouter API took too long (>60s). This is rare but can happen during high load.
+
+### Slow responses
+
+OpenRouter's `z-ai/glm-4.5-air:free` model may take longer than direct API calls. This is normal.
+
+## Architecture
+
+```
+User → vmcode-proxy → OpenRouter /free models
+       ↓
+    Rate Limiting
+    Request Validation
+    Error Handling
+    Memory Cleanup
+```
+
+**Memory Management:**
+- IP usage entries are automatically cleaned up after 2 days
+- Cleanup runs every hour to prevent memory leaks
+- Active IPs count shown in health endpoint
+
+**Graceful Shutdown:**
+- On SIGTERM/SIGINT, server waits 10s for in-flight requests
+- Force shutdown after second signal
+
+## Security
+
+- **API Keys**: Stored in environment variables, never in code
+- **CORS**: Enabled for cross-origin requests
+- **Request Validation**: Validates message array structure
+- **Timeout**: 60s timeout prevents hanging requests
+- **Rate Limiting**: Prevents abuse and DDoS
+
+## Scaling
+
+**Current Setup (Single Server):**
+- In-memory rate limiting
+- Suitable for up to ~10,000 daily users
+
+**For Larger Scale:**
+- Add Redis for distributed rate limiting
+- Use a load balancer with multiple instances
+- Add authentication for per-user limits
+
+## License
+
+Same as vmCode-CLI project.