Add Qoder provider support and docs

[PKFireBarry]

• Add Qoder provider support across auth, registry, watcher, and executor wiring
• Expose Qoder OAuth device-flow login via CLI flag and management endpoint
• Add Qoder model catalog entries and config examples
• Update docs (EN/CN/JA) and note management UI asset refresh

[gemini-code-assist]

Code Review

This pull request adds full support for the Qoder AI provider, implementing OAuth2 device flow, COSY encryption, and a specialized request executor. The changes span the CLI, management API, and model registry. Review feedback identifies critical security concerns regarding weak hashing and IV selection, as well as logic issues in token persistence and metadata unmarshalling. Recommendations also include consolidating duplicate authentication logic and improving user-facing labels in the management dashboard.

[gemini-code-assist]

Using the AES key as the Initialization Vector (IV) for CBC mode is generally not recommended. IVs should be unpredictable and unique for each encryption to prevent certain cryptographic attacks. While this might be done to match an existing JavaScript implementation, it's a security concern that should be addressed if possible, perhaps by generating a random IV and prepending it to the ciphertext.

[gemini-code-assist]

MD5 is considered cryptographically weak for new applications, especially for signatures where collision resistance is important. It's recommended to use a stronger hashing algorithm like SHA-256 for security purposes.

[gemini-code-assist]

Passing an empty string to storage.SaveTokenToFile means the file will be saved to the current working directory. This is likely not the intended behavior for persistent auth files and can lead to tokens being saved in an unexpected or insecure location. The authFilePath should be explicitly provided, typically derived from the configured auth directory and a unique filename.

[gemini-code-assist]

The code attempts to unmarshal the entire metadata map directly into a qoderauth.QoderTokenStorage struct. The metadata map contains fields (like email, project_id, priority, note) that are not part of QoderTokenStorage. This will result in an incomplete or incorrect QoderTokenStorage object, as only fields matching its struct tags will be populated. It's better to explicitly extract and assign relevant fields from metadata to construct the QoderTokenStorage object, or ensure metadata strictly adheres to the QoderTokenStorage structure if that's the intention.

[gemini-code-assist]

Similar to internal/watcher/synthesizer/file.go, this code attempts to unmarshal the entire metadata map directly into a qoderauth.QoderTokenStorage struct. This will likely result in an incomplete or incorrect QoderTokenStorage object, as only fields matching its struct tags will be populated. It's better to explicitly extract and assign relevant fields from metadata to construct the QoderTokenStorage object, or ensure metadata strictly adheres to the QoderTokenStorage structure if that's the intention.

[gemini-code-assist]

The label "Qoder User" is generic. If storage.Name or storage.Email is available, it would be more descriptive and user-friendly to use that for the label.

[gemini-code-assist]

The generateCodeVerifier function is a duplicate of generateDeviceCodeVerifier found in internal/auth/qoder/cosy.go. Consider consolidating these into a single shared utility function to reduce code duplication and improve maintainability.

[gemini-code-assist]

The generateCodeChallenge function is a duplicate of generateDeviceCodeChallenge found in internal/auth/qoder/cosy.go. Consider consolidating these into a single shared utility function to reduce code duplication and improve maintainability.

[gemini-code-assist]

Allocating a 50MB buffer for the bufio.Scanner is a very large memory footprint. While it might be necessary for extremely large SSE events, it's worth evaluating if this is always needed or if a more dynamic approach could be used to conserve memory, especially if typical SSE events are much smaller.

[gemini-code-assist]

The authSvc.SaveUserInfo call updates name and email within the QoderAuth service instance, but these updated values are not explicitly propagated back to the tokenStorage object before it's used to set tokenStorage.Email and tokenStorage.Name later. This could lead to tokenStorage having stale name and email if FetchUserInfo was successful in updating them.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 16ae758534

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Persist Qoder refresh tokens using a real auth file path

doRefreshToken always calls SaveTokenToFile(""), so any successful refresh still returns a file-write error and never updates the on-disk credential record. Because ExecuteStream only logs this error, runtime requests may continue with in-memory tokens while the saved refresh token stays stale, which can break authentication after a restart when refresh tokens rotate.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Surface scanner errors before ending Qoder SSE streams

The stream loop exits when scanner.Scan() returns false, but there is no scanner.Err() check after the loop. In cases like mid-stream connection resets or scanner token-size failures, the code closes the stream as if it completed normally, which can silently truncate model output and return partial results without an error chunk.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Handle nil request bodies before COSY signing

HttpRequest unconditionally reads req.Body, but requests created without a body (for example GET/HEAD) can have Body == nil. Calling io.ReadAll on a nil body panics, so generic HTTP execution against qoder can crash unless every caller provides an explicit empty reader.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Route Qoder HTTP calls through proxy-aware client

The executor constructs a fixed http.Client once and reuses it for all qoder calls, bypassing the repository’s proxy-aware client path used by other providers. This ignores configured cfg.ProxyURL/per-auth proxy settings, so qoder requests can fail in environments that require outbound traffic through the configured proxy.

Useful? React with 👍 / 👎.

[luispater]

Summary:
This PR adds broad Qoder support across auth, management routes, model registry, and executor wiring. The integration shape is good, but there are two correctness/reliability issues that should be fixed before merge.

Blocking issues:

1. internal/runtime/executor/qoder_executor.go: http.Client{Timeout: 180 * time.Second} in the Qoder executor introduces hard cutoff risk for long streaming sessions. This can break valid responses and conflicts with existing timeout policy for established upstream streams.
2. internal/auth/qoder/api.go: refresh persistence uses storage.SaveTokenToFile(""), which does not provide a writable auth file path. This will fail file creation and causes token refresh persistence to fail.

Suggested tests:

• Auth refresh regression test: expired/nearly-expired Qoder token should refresh and persist successfully.
• Streaming executor test: long-running SSE stream should not be aborted by client timeout.
• Tool-calls path test: verify tool call chunks are accumulated and returned in non-stream response mode.

Decision:
Request changes due to the two blocking reliability bugs above.