3c7efc58c8
This release represents a comprehensive transformation of the codebase from Codex to LLMX, enhanced with LiteLLM integration to support 100+ LLM providers through a unified API. ## Major Changes ### Phase 1: Repository & Infrastructure Setup - Established new repository structure and branching strategy - Created comprehensive project documentation (CLAUDE.md, LITELLM-SETUP.md) - Set up development environment and tooling configuration ### Phase 2: Rust Workspace Transformation - Renamed all Rust crates from `codex-*` to `llmx-*` (30+ crates) - Updated package names, binary names, and workspace members - Renamed core modules: codex.rs → llmx.rs, codex_delegate.rs → llmx_delegate.rs - Updated all internal references, imports, and type names - Renamed directories: codex-rs/ → llmx-rs/, codex-backend-openapi-models/ → llmx-backend-openapi-models/ - Fixed all Rust compilation errors after mass rename ### Phase 3: LiteLLM Integration - Integrated LiteLLM for multi-provider LLM support (Anthropic, OpenAI, Azure, Google AI, AWS Bedrock, etc.) - Implemented OpenAI-compatible Chat Completions API support - Added model family detection and provider-specific handling - Updated authentication to support LiteLLM API keys - Renamed environment variables: OPENAI_BASE_URL → LLMX_BASE_URL - Added LLMX_API_KEY for unified authentication - Enhanced error handling for Chat Completions API responses - Implemented fallback mechanisms between Responses API and Chat Completions API ### Phase 4: TypeScript/Node.js Components - Renamed npm package: @codex/codex-cli → @valknar/llmx - Updated TypeScript SDK to use new LLMX APIs and endpoints - Fixed all TypeScript compilation and linting errors - Updated SDK tests to support both API backends - Enhanced mock server to handle multiple API formats - Updated build scripts for cross-platform packaging ### Phase 5: Configuration & Documentation - Updated all configuration files to use LLMX naming - Rewrote README and documentation for LLMX branding - Updated config paths: ~/.codex/ → ~/.llmx/ - Added comprehensive LiteLLM setup guide - Updated all user-facing strings and help text - Created release plan and migration documentation ### Phase 6: Testing & Validation - Fixed all Rust tests for new naming scheme - Updated snapshot tests in TUI (36 frame files) - Fixed authentication storage tests - Updated Chat Completions payload and SSE tests - Fixed SDK tests for new API endpoints - Ensured compatibility with Claude Sonnet 4.5 model - Fixed test environment variables (LLMX_API_KEY, LLMX_BASE_URL) ### Phase 7: Build & Release Pipeline - Updated GitHub Actions workflows for LLMX binary names - Fixed rust-release.yml to reference llmx-rs/ instead of codex-rs/ - Updated CI/CD pipelines for new package names - Made Apple code signing optional in release workflow - Enhanced npm packaging resilience for partial platform builds - Added Windows sandbox support to workspace - Updated dotslash configuration for new binary names ### Phase 8: Final Polish - Renamed all assets (.github images, labels, templates) - Updated VSCode and DevContainer configurations - Fixed all clippy warnings and formatting issues - Applied cargo fmt and prettier formatting across codebase - Updated issue templates and pull request templates - Fixed all remaining UI text references ## Technical Details **Breaking Changes:** - Binary name changed from `codex` to `llmx` - Config directory changed from `~/.codex/` to `~/.llmx/` - Environment variables renamed (CODEX_* → LLMX_*) - npm package renamed to `@valknar/llmx` **New Features:** - Support for 100+ LLM providers via LiteLLM - Unified authentication with LLMX_API_KEY - Enhanced model provider detection and handling - Improved error handling and fallback mechanisms **Files Changed:** - 578 files modified across Rust, TypeScript, and documentation - 30+ Rust crates renamed and updated - Complete rebrand of UI, CLI, and documentation - All tests updated and passing **Dependencies:** - Updated Cargo.lock with new package names - Updated npm dependencies in llmx-cli - Enhanced OpenAPI models for LLMX backend This release establishes LLMX as a standalone project with comprehensive LiteLLM integration, maintaining full backward compatibility with existing functionality while opening support for a wide ecosystem of LLM providers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Sebastian Krüger <support@pivoine.art>
273 lines
9.3 KiB
Rust
273 lines
9.3 KiB
Rust
use crate::winutil::to_wide;
|
|
use anyhow::anyhow;
|
|
use anyhow::Result;
|
|
use std::ffi::c_void;
|
|
use windows_sys::Win32::Foundation::CloseHandle;
|
|
use windows_sys::Win32::Foundation::GetLastError;
|
|
use windows_sys::Win32::Foundation::HANDLE;
|
|
use windows_sys::Win32::Foundation::LUID;
|
|
use windows_sys::Win32::Security::AdjustTokenPrivileges;
|
|
use windows_sys::Win32::Security::CopySid;
|
|
use windows_sys::Win32::Security::CreateRestrictedToken;
|
|
use windows_sys::Win32::Security::CreateWellKnownSid;
|
|
use windows_sys::Win32::Security::GetLengthSid;
|
|
use windows_sys::Win32::Security::GetTokenInformation;
|
|
use windows_sys::Win32::Security::LookupPrivilegeValueW;
|
|
|
|
use windows_sys::Win32::Security::TokenGroups;
|
|
use windows_sys::Win32::Security::SID_AND_ATTRIBUTES;
|
|
use windows_sys::Win32::Security::TOKEN_ADJUST_DEFAULT;
|
|
use windows_sys::Win32::Security::TOKEN_ADJUST_PRIVILEGES;
|
|
use windows_sys::Win32::Security::TOKEN_ADJUST_SESSIONID;
|
|
use windows_sys::Win32::Security::TOKEN_ASSIGN_PRIMARY;
|
|
use windows_sys::Win32::Security::TOKEN_DUPLICATE;
|
|
use windows_sys::Win32::Security::TOKEN_PRIVILEGES;
|
|
use windows_sys::Win32::Security::TOKEN_QUERY;
|
|
use windows_sys::Win32::System::Threading::GetCurrentProcess;
|
|
|
|
const DISABLE_MAX_PRIVILEGE: u32 = 0x01;
|
|
const LUA_TOKEN: u32 = 0x04;
|
|
const WRITE_RESTRICTED: u32 = 0x08;
|
|
const WIN_WORLD_SID: i32 = 1;
|
|
const SE_GROUP_LOGON_ID: u32 = 0xC0000000;
|
|
|
|
pub unsafe fn world_sid() -> Result<Vec<u8>> {
|
|
let mut size: u32 = 0;
|
|
CreateWellKnownSid(
|
|
WIN_WORLD_SID,
|
|
std::ptr::null_mut(),
|
|
std::ptr::null_mut(),
|
|
&mut size,
|
|
);
|
|
let mut buf: Vec<u8> = vec![0u8; size as usize];
|
|
let ok = CreateWellKnownSid(
|
|
WIN_WORLD_SID,
|
|
std::ptr::null_mut(),
|
|
buf.as_mut_ptr() as *mut c_void,
|
|
&mut size,
|
|
);
|
|
if ok == 0 {
|
|
return Err(anyhow!("CreateWellKnownSid failed: {}", GetLastError()));
|
|
}
|
|
Ok(buf)
|
|
}
|
|
|
|
pub unsafe fn convert_string_sid_to_sid(s: &str) -> Option<*mut c_void> {
|
|
#[link(name = "advapi32")]
|
|
extern "system" {
|
|
fn ConvertStringSidToSidW(StringSid: *const u16, Sid: *mut *mut c_void) -> i32;
|
|
}
|
|
let mut psid: *mut c_void = std::ptr::null_mut();
|
|
let ok = unsafe { ConvertStringSidToSidW(to_wide(s).as_ptr(), &mut psid) };
|
|
if ok != 0 {
|
|
Some(psid)
|
|
} else {
|
|
None
|
|
}
|
|
}
|
|
|
|
pub unsafe fn get_current_token_for_restriction() -> Result<HANDLE> {
|
|
let desired = TOKEN_DUPLICATE
|
|
| TOKEN_QUERY
|
|
| TOKEN_ASSIGN_PRIMARY
|
|
| TOKEN_ADJUST_DEFAULT
|
|
| TOKEN_ADJUST_SESSIONID
|
|
| TOKEN_ADJUST_PRIVILEGES;
|
|
let mut h: HANDLE = 0;
|
|
#[link(name = "advapi32")]
|
|
extern "system" {
|
|
fn OpenProcessToken(
|
|
ProcessHandle: HANDLE,
|
|
DesiredAccess: u32,
|
|
TokenHandle: *mut HANDLE,
|
|
) -> i32;
|
|
}
|
|
let ok = unsafe { OpenProcessToken(GetCurrentProcess(), desired, &mut h) };
|
|
if ok == 0 {
|
|
return Err(anyhow!("OpenProcessToken failed: {}", GetLastError()));
|
|
}
|
|
Ok(h)
|
|
}
|
|
|
|
pub unsafe fn get_logon_sid_bytes(h_token: HANDLE) -> Result<Vec<u8>> {
|
|
unsafe fn scan_token_groups_for_logon(h: HANDLE) -> Option<Vec<u8>> {
|
|
let mut needed: u32 = 0;
|
|
GetTokenInformation(h, TokenGroups, std::ptr::null_mut(), 0, &mut needed);
|
|
if needed == 0 {
|
|
return None;
|
|
}
|
|
let mut buf: Vec<u8> = vec![0u8; needed as usize];
|
|
let ok = GetTokenInformation(
|
|
h,
|
|
TokenGroups,
|
|
buf.as_mut_ptr() as *mut c_void,
|
|
needed,
|
|
&mut needed,
|
|
);
|
|
if ok == 0 || (needed as usize) < std::mem::size_of::<u32>() {
|
|
return None;
|
|
}
|
|
let group_count = std::ptr::read_unaligned(buf.as_ptr() as *const u32) as usize;
|
|
// TOKEN_GROUPS layout is: DWORD GroupCount; SID_AND_ATTRIBUTES Groups[];
|
|
// On 64-bit, Groups is aligned to pointer alignment after 4-byte GroupCount.
|
|
let after_count = unsafe { buf.as_ptr().add(std::mem::size_of::<u32>()) } as usize;
|
|
let align = std::mem::align_of::<SID_AND_ATTRIBUTES>();
|
|
let aligned = (after_count + (align - 1)) & !(align - 1);
|
|
let groups_ptr = aligned as *const SID_AND_ATTRIBUTES;
|
|
for i in 0..group_count {
|
|
let entry: SID_AND_ATTRIBUTES = std::ptr::read_unaligned(groups_ptr.add(i));
|
|
if (entry.Attributes & SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID {
|
|
let sid = entry.Sid;
|
|
let sid_len = GetLengthSid(sid);
|
|
if sid_len == 0 {
|
|
return None;
|
|
}
|
|
let mut out = vec![0u8; sid_len as usize];
|
|
if CopySid(sid_len, out.as_mut_ptr() as *mut c_void, sid) == 0 {
|
|
return None;
|
|
}
|
|
return Some(out);
|
|
}
|
|
}
|
|
None
|
|
}
|
|
|
|
if let Some(v) = scan_token_groups_for_logon(h_token) {
|
|
return Ok(v);
|
|
}
|
|
|
|
#[repr(C)]
|
|
struct TOKEN_LINKED_TOKEN {
|
|
linked_token: HANDLE,
|
|
}
|
|
const TOKEN_LINKED_TOKEN_CLASS: i32 = 19; // TokenLinkedToken
|
|
let mut ln_needed: u32 = 0;
|
|
GetTokenInformation(
|
|
h_token,
|
|
TOKEN_LINKED_TOKEN_CLASS,
|
|
std::ptr::null_mut(),
|
|
0,
|
|
&mut ln_needed,
|
|
);
|
|
if ln_needed >= std::mem::size_of::<TOKEN_LINKED_TOKEN>() as u32 {
|
|
let mut ln_buf: Vec<u8> = vec![0u8; ln_needed as usize];
|
|
let ok = GetTokenInformation(
|
|
h_token,
|
|
TOKEN_LINKED_TOKEN_CLASS,
|
|
ln_buf.as_mut_ptr() as *mut c_void,
|
|
ln_needed,
|
|
&mut ln_needed,
|
|
);
|
|
if ok != 0 {
|
|
let lt: TOKEN_LINKED_TOKEN =
|
|
std::ptr::read_unaligned(ln_buf.as_ptr() as *const TOKEN_LINKED_TOKEN);
|
|
if lt.linked_token != 0 {
|
|
let res = scan_token_groups_for_logon(lt.linked_token);
|
|
CloseHandle(lt.linked_token);
|
|
if let Some(v) = res {
|
|
return Ok(v);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
Err(anyhow!("Logon SID not present on token"))
|
|
}
|
|
unsafe fn enable_single_privilege(h_token: HANDLE, name: &str) -> Result<()> {
|
|
let mut luid = LUID {
|
|
LowPart: 0,
|
|
HighPart: 0,
|
|
};
|
|
let ok = LookupPrivilegeValueW(std::ptr::null(), to_wide(name).as_ptr(), &mut luid);
|
|
if ok == 0 {
|
|
return Err(anyhow!("LookupPrivilegeValueW failed: {}", GetLastError()));
|
|
}
|
|
let mut tp: TOKEN_PRIVILEGES = std::mem::zeroed();
|
|
tp.PrivilegeCount = 1;
|
|
tp.Privileges[0].Luid = luid;
|
|
tp.Privileges[0].Attributes = 0x00000002; // SE_PRIVILEGE_ENABLED
|
|
let ok2 = AdjustTokenPrivileges(h_token, 0, &tp, 0, std::ptr::null_mut(), std::ptr::null_mut());
|
|
if ok2 == 0 {
|
|
return Err(anyhow!("AdjustTokenPrivileges failed: {}", GetLastError()));
|
|
}
|
|
let err = GetLastError();
|
|
if err != 0 {
|
|
return Err(anyhow!("AdjustTokenPrivileges error {}", err));
|
|
}
|
|
Ok(())
|
|
}
|
|
|
|
// removed unused create_write_restricted_token_strict
|
|
|
|
pub unsafe fn create_workspace_write_token_with_cap(
|
|
psid_capability: *mut c_void,
|
|
) -> Result<(HANDLE, *mut c_void)> {
|
|
let base = get_current_token_for_restriction()?;
|
|
let mut logon_sid_bytes = get_logon_sid_bytes(base)?;
|
|
let psid_logon = logon_sid_bytes.as_mut_ptr() as *mut c_void;
|
|
let mut everyone = world_sid()?;
|
|
let psid_everyone = everyone.as_mut_ptr() as *mut c_void;
|
|
let mut entries: [SID_AND_ATTRIBUTES; 3] = std::mem::zeroed();
|
|
// Exact set and order: Capability, Logon, Everyone
|
|
entries[0].Sid = psid_capability;
|
|
entries[0].Attributes = 0;
|
|
entries[1].Sid = psid_logon;
|
|
entries[1].Attributes = 0;
|
|
entries[2].Sid = psid_everyone;
|
|
entries[2].Attributes = 0;
|
|
let mut new_token: HANDLE = 0;
|
|
let flags = DISABLE_MAX_PRIVILEGE | LUA_TOKEN | WRITE_RESTRICTED;
|
|
let ok = CreateRestrictedToken(
|
|
base,
|
|
flags,
|
|
0,
|
|
std::ptr::null(),
|
|
0,
|
|
std::ptr::null(),
|
|
3,
|
|
entries.as_mut_ptr(),
|
|
&mut new_token,
|
|
);
|
|
if ok == 0 {
|
|
return Err(anyhow!("CreateRestrictedToken failed: {}", GetLastError()));
|
|
}
|
|
enable_single_privilege(new_token, "SeChangeNotifyPrivilege")?;
|
|
Ok((new_token, psid_capability))
|
|
}
|
|
|
|
pub unsafe fn create_readonly_token_with_cap(
|
|
psid_capability: *mut c_void,
|
|
) -> Result<(HANDLE, *mut c_void)> {
|
|
let base = get_current_token_for_restriction()?;
|
|
let mut logon_sid_bytes = get_logon_sid_bytes(base)?;
|
|
let psid_logon = logon_sid_bytes.as_mut_ptr() as *mut c_void;
|
|
let mut everyone = world_sid()?;
|
|
let psid_everyone = everyone.as_mut_ptr() as *mut c_void;
|
|
let mut entries: [SID_AND_ATTRIBUTES; 3] = std::mem::zeroed();
|
|
// Exact set and order: Capability, Logon, Everyone
|
|
entries[0].Sid = psid_capability;
|
|
entries[0].Attributes = 0;
|
|
entries[1].Sid = psid_logon;
|
|
entries[1].Attributes = 0;
|
|
entries[2].Sid = psid_everyone;
|
|
entries[2].Attributes = 0;
|
|
let mut new_token: HANDLE = 0;
|
|
let flags = DISABLE_MAX_PRIVILEGE | LUA_TOKEN | WRITE_RESTRICTED;
|
|
let ok = CreateRestrictedToken(
|
|
base,
|
|
flags,
|
|
0,
|
|
std::ptr::null(),
|
|
0,
|
|
std::ptr::null(),
|
|
3,
|
|
entries.as_mut_ptr(),
|
|
&mut new_token,
|
|
);
|
|
if ok == 0 {
|
|
return Err(anyhow!("CreateRestrictedToken failed: {}", GetLastError()));
|
|
}
|
|
enable_single_privilege(new_token, "SeChangeNotifyPrivilege")?;
|
|
Ok((new_token, psid_capability))
|
|
}
|