Add tool-calling support and dashboard login

Introduce initial tool-calling support and consolidate dashboard login into the main UI.

Highlights:
- Add detailed contributor/copilot instructions (.github/copilot-instructions.md).
- Document Tool Calling in README and note supported built-in qodercli tools.
- Extend src/helpers/format.js: reorder/expand model catalogue; add extractToolCalls, buildToolCallStreamChunk, and buildFullChatResponseWithTools to surface qoder tool-calls in OpenAI-compatible responses.
- Update src/helpers/spawn.js: add process debug logging and change stream parsing to accumulate stdout and parse JSON lines on end (with invalid-JSON skipping); improved lifecycle logs and timeout handling.
- Update src/routes/chat.js: accept tools/tool_choice fields, emit streaming tool-call chunks, include tool-calls in non-streaming responses, and avoid killing child for non-streaming requests; use merged response builders.
- Small change in src/routes/completions.js to not kill child on non-streaming client disconnects.
- Merge dashboard login into src/dashboard/public/index.html (remove separate login.html), add login styles and client script to toggle login/dashboard views; route /dashboard/login now serves index.html.
- Add child-kill logging in dashboard API and minor server startup tweak in src/server.js.
- Remove test-proxy.py and test-stream.ps1 test scripts.

Notes:
- This commit introduces initial tool-call plumbing but logs indicate tool mapping is not fully implemented; streaming-parsing behavior was changed and may impact realtime SSE semantics.

Author: foxy1402

.github/copilot-instructions.md

@@ -0,0 +1,204 @@
+# Copilot Instructions - Qoder OpenAI Proxy
+
+## Project Overview
+
+This is an OpenAI-compatible API proxy for Qoder CLI (qodercli). It translates OpenAI-format API requests into qodercli commands, enabling any OpenAI-compatible tool (Cursor, LangChain, Open WebUI) to use Qoder models.
+
+Key responsibilities:
+- Accept /v1/chat/completions and /v1/completions requests in OpenAI format
+- Spawn qodercli child processes with appropriate model/prompt arguments
+- Stream responses back to clients via Server-Sent Events (SSE)
+- Provide a web dashboard for testing and monitoring at /dashboard/
+
+## Build, Test, and Run
+
+Start server (development):
+npm run dev       # Runs with --watch for auto-reload on file changes
+
+Start server (production):
+npm start         # Runs src/server.js directly
+
+Docker:
+docker build -t qoder-proxy .
+docker run -p 3000:3000 -e QODER_PERSONAL_ACCESS_TOKEN="..." -e PROXY_API_KEY="..." qoder-proxy
+
+No tests or linters are configured.
+
+## Architecture
+
+### Core Flow
+
+Client → Express → Auth → Routes → spawn.js → qodercli (child process) → Parse stream-json output → SSE/JSON response
+
+1. Routes (src/routes/) receive OpenAI-format requests
+2. format.js translates OpenAI model names → Qoder tiers and converts messages[] → single prompt string
+3. spawn.js spawns qodercli -p <prompt> -f stream-json --model <tier> as a child process
+4. Stream parsing reads line-delimited JSON from stdout, extracts text, and sends SSE chunks
+5. Logging (logStore.js) captures all requests/responses in RAM (circular buffer, max 500 entries)
+
+### Key Components
+
+| Component | Purpose |
+|-----------|---------|
+| src/server.js | Express app setup, route mounting, startup health checks |
+| src/config.js | Central config from env vars (PORT, API keys, timeouts) |
+| src/helpers/spawn.js | Spawns qodercli, handles stdout/stderr, implements timeout logic |
+| src/helpers/format.js | Model mapping (OpenAI aliases → Qoder tiers), message→prompt conversion, response builders |
+| src/store/logStore.js | In-memory circular log buffer for requests + system events |
+| src/middleware/auth.js | Bearer token validation for /v1/* endpoints |
+| src/middleware/dashboardAuth.js | Cookie-based HMAC auth for /dashboard/* |
+| src/routes/chat.js | /v1/chat/completions endpoint (supports streaming + non-streaming) |
+| src/routes/completions.js | /v1/completions (legacy text completion) |
+| src/routes/dashboard.js | Dashboard UI + API endpoints for logs/playground |
+
+## Key Conventions
+
+### 1. Model Mapping Strategy
+
+The proxy accepts OpenAI/Anthropic model names and maps them to Qoder tiers:
+
+gpt-4, gpt-4o, claude-3.5-sonnet  → auto (paid)
+o1, claude-3-opus                 → ultimate (paid)
+o1-mini, claude-3-sonnet          → performance (paid)
+claude-3.5-haiku, gemini-flash    → efficient (paid)
+gpt-3.5-turbo, gpt-4o-mini        → lite (free)
+
+- Direct Qoder tier names (auto, lite, etc.) pass through unchanged
+- Unknown names pass through as-is (allows custom model IDs)
+- Default model is lite if none specified
+- Model mapping logic lives in src/helpers/format.js (ALIAS_MAP and getModelMapping)
+
+### 2. Qodercli Integration
+
+Critical details:
+- Uses qodercli -p <prompt> -f stream-json --model <tier> for all requests
+- Parses line-delimited JSON from stdout (format: {"type":"assistant","subtype":"message","message":{...}})
+- Must handle both Windows (cmd.exe /c qodercli.cmd) and Unix (qodercli) spawn paths
+- Implements timeout killing (default 120s) to prevent hung processes
+- Cleans up child processes on client disconnect (req.on('close'))
+
+Never:
+- Buffer full response before sending (breaks streaming)
+- Forget to kill child processes on errors or timeouts
+- Parse non-JSON lines (some lines may be warnings/errors)
+
+### 3. Message → Prompt Conversion
+
+OpenAI messages array → single prompt string for qodercli (src/helpers/format.js — messagesToPrompt):
+
+- system messages → System: <content>
+- user messages → User: <content>
+- assistant messages → Assistant: <content>
+- Multi-part content [{type:'text', text:'...'}] → flattened to plain text
+- Last system message wins if multiple provided
+
+### 4. Response Building
+
+Two response formats:
+
+- Streaming: SSE chunks with delta.content, final chunk with finish_reason, then [DONE]
+- Non-streaming: Full response with message.content
+
+All responses follow OpenAI format (id, object, created, model, choices, usage).
+Response builders live in src/helpers/format.js (buildStreamChunk, buildDoneChunk, buildFullChatResponse, etc.).
+
+### 5. Logging Architecture
+
+All logging goes through src/store/logStore.js:
+
+- addRequest(entry) — logs API requests with payload, status, duration
+- addSystem(message, level, source) — logs system events (startup, errors, auth)
+- Circular buffers (max 500 entries each by default)
+- Logs are RAM-only (cleared on restart)
+- Payloads are truncated to LOG_BODY_MAX_BYTES (default 8KB)
+
+Console output format: [timestamp] METHOD /path → status (duration) [stream]
+
+### 6. Authentication Patterns
+
+Two auth systems:
+
+/v1/* endpoints:
+- Bearer token auth (PROXY_API_KEY env var)
+- Skips auth entirely if PROXY_API_KEY not set
+- Middleware: src/middleware/auth.js
+
+/dashboard/* routes:
+- Cookie-based HMAC session tokens
+- Login form at /dashboard/login (checks DASHBOARD_PASSWORD)
+- Token = base64url(timestamp.random.hmac(timestamp.random))
+- 7-day cookie expiry
+- Middleware: src/middleware/dashboardAuth.js
+
+### 7. Error Handling
+
+- 400 for invalid requests (missing messages, empty prompt)
+- 401 for auth failures
+- 500 for qodercli spawn errors or non-zero exit codes
+- 501 for unsupported endpoints (/v1/embeddings)
+- 504 for timeouts
+
+Return OpenAI-format errors:
+{
+  "error": {
+    "message": "...",
+    "type": "invalid_request_error|api_error|timeout_error|not_implemented_error",
+    "code": "invalid_api_key|endpoint_not_supported|...",
+    "details": "..." (optional, for debugging)
+  }
+}
+
+### 8. Environment Configuration
+
+All config lives in src/config.js, loaded from .env:
+
+Required for production:
+- QODER_PERSONAL_ACCESS_TOKEN — Qoder API credentials
+- PROXY_API_KEY — Bearer token for /v1/* auth
+- DASHBOARD_PASSWORD — Password for /dashboard/ access
+
+Optional tuning:
+- PORT (default 3000)
+- QODER_TIMEOUT_MS (default 120000)
+- LOG_MAX_ENTRIES (default 500)
+- LOG_BODY_MAX_BYTES (default 8192)
+- CORS_ORIGIN (default *)
+- DASHBOARD_ENABLED (default true)
+- DASHBOARD_SECRET (auto-generated if not set)
+
+## Common Tasks
+
+### Adding a New Model Alias
+
+Edit src/helpers/format.js:
+
+1. Add to ALIAS_MAP (maps OpenAI name → qodercli tier)
+2. Add to OPENAI_ALIASES in src/routes/misc.js (for /v1/models endpoint)
+
+### Adding a New Qoder Model
+
+Edit src/helpers/format.js:
+
+1. Add to QODER_MODELS array with {id, label, tier, description}
+
+### Modifying Stream Parsing
+
+Edit src/helpers/spawn.js — runQoderRequest():
+
+- Look for data.type === 'assistant' && data.subtype === 'message'
+- Extract content via extractTextContent(data.message)
+- Handle stop_reason from data.message.stop_reason
+
+### Changing Timeout Behavior
+
+Edit QODER_TIMEOUT_MS in src/config.js or .env file.
+Timeout logic lives in src/helpers/spawn.js (setTimeout → child.kill()).
+
+## Important Notes
+
+- **RAM-only design**: All logs/state are in-memory. Restart = data loss.
+- **Process cleanup**: Always kill child processes on errors, timeouts, or client disconnects to avoid zombies.
+- **SSE headers**: Must set X-Accel-Buffering: no for nginx compatibility.
+- **Windows compatibility**: All child_process spawns check process.platform === 'win32' and use cmd.exe wrapper.
+- **No token counting**: Qoder CLI doesn't provide token usage — all usage fields return null.
+- **Embeddings not supported**: /v1/embeddings returns 501 with explanation.

README.md

@@ -7,6 +7,7 @@ Use Qoder through any tool or library designed for OpenAI's API.
 
 - **🔌 OpenAI-Compatible**: Drop-in API replacement for apps like Cursor, Cline, LangChain, and Open WebUI
 - **💬 Full Chat Support**: Support for `/v1/chat/completions` (system messages, multi-turn history)
+- **🛠 Tool Calling**: Automatic tool execution (file operations, shell commands, code editing) with OpenAI-compatible responses
 - **⚡ Streaming**: Real-time SSE streaming responses without lag
 - **🔄 Intelligent Tier Mapping**: Seamless translation between OpenAI aliases (gpt-4, claude-3.5) and Qoder tiers (auto, ultimate, lite)
 - **📊 Admin Dashboard**: Built-in dark-themed web dashboard for testing, viewing live logs, and monitoring proxy health
@@ -117,10 +118,51 @@ curl http://localhost:3000/v1/chat/completions \
   }'
 ```
 
+## 🛠 Tool Calling
+
+The proxy supports **automatic tool calling** using qodercli's built-in tools. When the AI needs to perform actions like creating files, running commands, or searching code, it will automatically use the appropriate tools and return the results in OpenAI-compatible format.
+
+### Supported Built-in Tools
+
+- **Write**: Create/modify files
+- **Read**: Read file contents  
+- **Bash**: Execute shell commands
+- **Edit**: Make targeted file edits
+- **Grep**: Search text in files
+- **Glob**: Find files by pattern
+- **Task**: Delegate to specialized agents
+- **WebFetch**: Fetch web content
+- **ImageGen**: Generate images
+- And more...
+
+### Example Tool Call Response
+
+```json
+{
+  "choices": [{
+    "message": {
+      "role": "assistant", 
+      "content": "Created hello.py with the requested code.",
+      "tool_calls": [{
+        "id": "call_123",
+        "type": "function",
+        "function": {
+          "name": "Write",
+          "arguments": "{\"file_path\": \"hello.py\", \"content\": \"print('Hello!')\"}"
+        }
+      }]
+    },
+    "finish_reason": "tool_calls"
+  }]
+}
+```
+
+Tools are automatically invoked based on the user's request—no manual tool definitions required!
+
 ## ⚠️ Limitations
 - **Embeddings**: Qoder does not support embeddings. Calling `/v1/embeddings` securely returns a `501 Not Implemented`.
 - **Token usage limits**: Request token tracking / `usage` payload properties return `null`.
-- **Function calling**: Not implemented by the Qoder CLI wrapper yet.
+- **Custom Tools**: Only qodercli's built-in tools are supported (Write, Read, Bash, Edit, etc.). Custom OpenAI-style function definitions are not yet supported.
 
 ## License
 MIT

src/dashboard/public/index.html

@@ -6,8 +6,54 @@
 <link rel="preconnect" href="https://fonts.googleapis.com">
 <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
 <link rel="stylesheet" href="/dashboard/static/style.css">
+<style id="login-styles">
+/* Login-specific styles */
+.login-body{min-height:100vh;display:flex;align-items:center;justify-content:center;overflow:hidden}
+body.login-mode{min-height:100vh;display:flex;align-items:center;justify-content:center;overflow:hidden}
+body.login-mode::before{content:'';position:fixed;inset:0;background:radial-gradient(ellipse 80% 60% at 50% -10%,rgba(139,92,246,0.18),transparent);pointer-events:none;z-index:0}
+body.login-mode #app{display:none}
+body.login-mode #login-container{display:flex}
+#login-container{display:none;width:100%;justify-content:center;align-items:center;min-height:100vh}
+.login-card{background:var(--card);border:1px solid var(--border);border-radius:16px;padding:40px;width:100%;max-width:380px;box-shadow:0 24px 64px rgba(0,0,0,0.5);position:relative;z-index:1}
+.login-logo{display:flex;align-items:center;gap:10px;margin-bottom:28px}
+.login-logo-icon{width:38px;height:38px;background:linear-gradient(135deg,var(--accent),var(--accent2));border-radius:10px;display:flex;align-items:center;justify-content:center;font-weight:700;font-size:18px;color:#fff;flex-shrink:0}
+.login-logo-text{font-size:15px;font-weight:600;color:var(--text1)}
+.login-logo-sub{font-size:12px;color:var(--text2)}
+.login-card h1{font-size:22px;font-weight:700;margin-bottom:6px}
+.login-subtitle{font-size:13px;color:var(--text2);margin-bottom:28px}
+.login-field{margin-bottom:18px}
+.login-field label{display:block;font-size:12px;font-weight:500;color:var(--text2);margin-bottom:6px;letter-spacing:.03em;text-transform:uppercase}
+.login-field input[type=password]{width:100%;background:var(--surface);border:1px solid var(--border);color:var(--text1);border-radius:8px;padding:11px 14px;font-size:14px;font-family:inherit;outline:none;transition:border-color .2s}
+.login-field input[type=password]:focus{border-color:var(--accent)}
+.login-field input[type=password]::placeholder{color:var(--text3)}
+.login-btn{width:100%;padding:12px;background:linear-gradient(135deg,var(--accent),var(--accent2));color:#fff;border:none;border-radius:8px;font-size:14px;font-weight:600;font-family:inherit;cursor:pointer;transition:opacity .2s,box-shadow .2s;box-shadow:0 0 0 rgba(139,92,246,0)}
+.login-btn:hover{opacity:.9;box-shadow:0 0 24px rgba(139,92,246,0.35)}
+.login-error{background:rgba(239,68,68,.12);border:1px solid rgba(239,68,68,.3);color:#fca5a5;border-radius:8px;padding:10px 12px;font-size:13px;margin-bottom:16px;display:none}
+.login-error.show{display:block}
+</style>
 </head>
 <body>
+<!-- Login View -->
+<div id="login-container">
+  <div class="login-card">
+    <div class="login-logo">
+      <div class="login-logo-icon">Q</div>
+      <div><div class="login-logo-text">Qoder Proxy</div><div class="login-logo-sub">Dashboard</div></div>
+    </div>
+    <h1>Sign In</h1>
+    <p class="login-subtitle">Enter your dashboard password to continue</p>
+    <div class="login-error" id="login-err">Incorrect password. Please try again.</div>
+    <form method="POST" action="/dashboard/login">
+      <div class="login-field">
+        <label>Password</label>
+        <input type="password" name="password" id="pw" autofocus placeholder="••••••••••••" required>
+      </div>
+      <button type="submit" class="login-btn">Sign In</button>
+    </form>
+  </div>
+</div>
+
+<!-- Dashboard View -->
 <div id="app">
   <!-- Sidebar -->
   <aside id="sidebar">
@@ -66,6 +112,24 @@
     </main>
   </div>
 </div>
-<script src="/dashboard/static/app.js"></script>
+
+<script>
+// Detect if we should show login or dashboard
+(function() {
+  const isLoginPage = window.location.pathname === '/dashboard/login' || new URLSearchParams(location.search).get('error') === '1';
+  
+  if (isLoginPage) {
+    document.body.classList.add('login-mode');
+    if (new URLSearchParams(location.search).get('error') === '1') {
+      document.getElementById('login-err').classList.add('show');
+    }
+  } else {
+    // Load dashboard app only if not on login page
+    const script = document.createElement('script');
+    script.src = '/dashboard/static/app.js';
+    document.body.appendChild(script);
+  }
+})();
+</script>
 </body>
 </html>