# CmdCode Solo

> One Page · Zero Install · Zero Dependency · Full Memory System AI Agent

A minimalist, self-hosted AI coding assistant that runs entirely in the browser with persistent long-term memory — no build tools, no frameworks, no external services. Deploy with just one HTML file and one PHP proxy on any server.

👉 **Live Demo:** [CmdCode.cn/ui.html](https://cmdcode.cn/ui.html) — Guest mode, no login required

---

## ✨ Core Features

- **🧠 Single-Page Application** — All frontend logic in one `ui.html`, no npm, no webpack, no frameworks.
- **📄 Zero Install, Zero External Dependencies** — No Docker, no Node.js, no Python venv. Just PHP 7.4+ and MySQL 5.7+ (runs on the cheapest shared hosting).
- **💾 Complete Memory System (L1+L2+L3)** — A localized implementation based on the TencentDB Agent Memory architecture:
  - **L1 Atomic Memory** — Auto-extracts facts, decisions, preferences, and credentials from conversation, encrypted with AES-256-CBC.
  - **L2 Scenario Abstraction** — Isolates memory by project or topic to prevent cross-task confusion.
  - **L3 User Profile** — Distills long-term stable user characteristics so the AI truly "gets you."
- **🔐 Encrypted Credential Memory** — Passwords, API Keys, etc. are never discarded — they're encrypted on disk, decrypted in memory during retrieval, and purged immediately after use.
- **🖼️ Guest Shared Drive** — No registration needed, images generated by all users appear in the shared drive. Ready to use out of the box.
- **👤 Multi-User Physical Isolation** — Each user has a dedicated folder (`/user_data/{id}/Memory/`) with Linux permissions 0700, counted under the 100MB/1GB quota.
- **⚡ Streaming Responses** — Real-time display of AI thinking process and tool invocation steps.
- **🎵 Multimodal Support** — Text-to-image, image-to-image, TTS, music generation, video generation — all within the conversation.
- **🔑 3-Key Auto Rotation** — All MiniMax API calls (chat, image, TTS, music, video, vision) use triple-key rotation with automatic 429 retry. Frontend session-level guard prevents AI from repeating calls after all keys exhausted.
- **📱 Mobile Optimized** — Responsive design with iOS/Android safe area support, usable as a PWA.
- **🪶 Zero Framework Dependencies** — Pure vanilla JavaScript (ES6), CSS3, and HTML5, no third-party libraries.

---

## 🤖 Quick Start — AI Agent One-Click Deploy (Recommended)

This is the fastest way to deploy. **Just one sentence, and the AI does everything for you:**

Copy the repository URL below and give it to an AI agent (like **Hermes Agent**, **Claude Code**, **OpenClaw**, etc.), saying:

> **"Please deploy this project to my web server and local environment so I can access ui.html directly."**

```text
# GitHub (recommended for international users)
https://github.com/xusu-ai/cmdcode-solo.git

# Gitee (recommended for Chinese users)
https://gitee.com/xusuai/cmdcode-solo.git
```

The AI agent will automatically handle everything:

| Step | Description |
|:-----|:------------|
| ✅ Clone code | Pull the latest code from the repository |
| ✅ Configure API Key | You provide the LLM API Key, AI writes it into encrypted config |
| ✅ Configure server | You provide FTP/server credentials, AI uploads files to web directory |
| ✅ Configure database | You provide MySQL credentials, AI creates tables automatically |
| ✅ Configure cron | AI adds async Worker scheduled tasks |
| ✅ Directory permissions | AI creates `/user_data` and sets correct permissions |
| ✅ Security hardening | AI configures `.htaccess` security rules |
| 🎉 **Done!** | Visit `https://your-domain/ui.html` and start using |

> **All you need to do is 3 things:** ① Approve the actions ② Submit your API Key ③ Submit your server credentials
>
> Everything else is automated by the AI agent. Effortless.

---

## 🛠️ Manual Deployment

### Requirements

- PHP 7.4+ (with openssl, curl, pdo_mysql extensions)
- MySQL 5.7+ or MariaDB 10.2+
- Any web server (Apache / Nginx / LiteSpeed)
- Cron daemon (for async memory processing)

### Deployment Steps

1. Clone the repository to your web server directory.
2. Edit `config.enc.php`, set a strong random passphrase, and write your API Key into the encrypted storage.
3. Modify `ACCESS_TOKEN` and the domain whitelist in `proxy.php`.
4. Import the required database tables (auto-created, or manually run `CREATE TABLE IF NOT EXISTS ...`).
5. Configure Crontab:
   ```cron
   * * * * * sleep 0; /path/to/long-task-cron-worker.sh
   * * * * * sleep 15; /path/to/long-task-cron-worker.sh
   * * * * * sleep 30; /path/to/long-task-cron-worker.sh
   * * * * * sleep 45; /path/to/long-task-cron-worker.sh
   ```
6. Ensure `/user_data` directory is writable by the web server.
7. Visit `https://your-domain/ui.html` to start using.

### Usage

| Mode | Description |
|:-----|:------------|
| **👤 Guest Mode** | No login required, conversations and files auto-saved to shared directory. View images generated by other users |
| **🔑 Login Mode** | Register to get 100MB dedicated personal cloud storage, persistent conversation history (admin gets 1GB) |

---

## 🔄 3-Key Rotation Architecture

All MiniMax API calls implement automatic triple-key rotation:

| Layer | Implementation |
|:------|:---------------|
| **General Handler** | `proxy.php` fallback handler (line 1732): `foreach ($api_keys as $idx => $key)` → 429 auto-switch → all exhausted returns `proxy_all_keys_exhausted` |
| **Music Async** | cron worker `for TRY_KEY in "${KEY_ARRAY[@]}"` → 429/000 skip → local curl bypasses PHP 30s timeout |
| **Video Async** | Same cron worker pattern: submit → poll → get URL, try each key sequentially |
| **Frontend Guard** | 6 session-level flags (`_videoQuotaExhausted`/`_musicQuotaExhausted`/`_imageQuotaExhausted`/`_ttsQuotaExhausted`/`_visionQuotaExhausted`/`_webSearchQuotaExhausted`), zero API cost blocking after first exhaustion detection |

---

## 🧠 Memory System Architecture

### Memory Lifecycle

1. **Auto-Extraction** — When conversation context is compressed, the frontend non-blockingly enqueues a task, sending the conversation to the backend.
2. **Async Processing** — Cron Worker pulls tasks, calls LLM to extract atomic facts, encrypts with AES-256-CBC, and appends to `L1_facts.jsonl`.
3. **Smart Retrieval** — Before each user message, the frontend retrieves relevant memories (full-text match + time decay + popularity ranking via RRF fusion) and injects them into the system prompt.
4. **Profile Update** — Every 30 new memories triggers a user profile distillation, keeping the L3 profile up-to-date.

### Privacy Protection

- Memory content is encrypted with a user-specific key (derived from master key + user ID via HMAC).
- Ciphertext is decrypted in memory during retrieval; only the needed plaintext is included in the LLM context, then released immediately.
- Credential memories are masked in the index table to prevent log leakage.

---

## 📂 Project Structure

```
cmdcode-solo/
├── ui.html                        # Complete frontend Agent with memory retrieval (~91KB)
├── proxy.php                      # API proxy + memory system core (~78KB)
├── config.enc.php                 # AES-256-CBC encrypted configuration
├── long-task-cron-worker.sh       # Universal async Worker (~16KB)
├── cron.d-long-task-worker        # Crontab config (staggered every 15s)
├── long-task-worker-check.sh      # Worker health check (~1.7KB)
├── htaccess-example               # Apache/LiteSpeed security rules
├── v.php                          # Source code viewer
├── source.html                    # Open source homepage metadata
├── README.md                      # 中文说明
└── README_EN.md                   # English README
```

### File Details

| File | Size | Description |
|:-----|:-----|:------------|
| **ui.html** | ~91 KB | Frontend chat interface, zero framework dependencies. Built-in AI Agent conversation, file manager, image viewer, audio/video playback, user authentication, multimodal tools (text-to-image/video/music/voice), 3-key rate-limit rotation, session-level quota exhaustion guard |
| **proxy.php** | ~78 KB | Multi-provider API proxy, solves browser CORS. Supports MiniMax (triple-key rotation failover) and OpenCode Go, includes user auth, file system, memory system, remote Bash, share links, web scraping, full video/music async pipeline |
| **config.enc.php** | ~2.5 KB | AES-256-CBC encrypted configuration, keys never written to disk |
| **htaccess-example** | 351 B | Apache/LiteSpeed security rules: blocks direct `.enc.php` access, protects `.htaccess` itself |
| **long-task-cron-worker.sh** | ~16 KB | Cron-triggered async task worker for long-running MiniMax music/video generation and LLM memory extraction tasks. Bypasses PHP-FPM 30s timeout, implements 3-key rotation with 429 detection |

**Memory-related DB tables**: `memory_tasks` (task queue), `memory_index` (full-text index)

**User memory directory**: `/user_data/{user_id}/Memory/` — L1 encrypted facts (JSONL), L2 scenarios, L3 profiles

---

## 📊 Performance & Cost

- **Storage**: A heavy user generates ~28 MB/year (within the 100MB quota for 3+ years; admin gets 1GB).
- **Token Savings**: Context offloading + memory injection reduces per-conversation token consumption by ~30%.
- **Response Latency**: Memory retrieval completes in under 20ms, no impact on conversation responsiveness.

---

## 🔒 Security Recommendations

- Protect `config.enc.php` (the included .htaccess example blocks direct access).
- Regularly back up the `/user_data` directory and database.
- Use HTTPS for encrypted transmission.
- Keep PHP and web server security patches up to date.

---

## 💬 Design Philosophy

CmdCode Solo follows the philosophy of **minimalism, single-page, zero-dependency**. It relies on no frontend frameworks or build tools, using only native browser capabilities, yet achieves:

- Full AI Agent conversation system with tool calling
- File upload, download, preview, and management
- User authentication and quota management (admin 1GB / user 100MB)
- Context compression and long conversation memory
- Request cancellation and streaming responses
- Text-to-image / image-to-image / TTS / music / video multimodal
- 3-key automatic rotation with session-level quota exhaustion protection
- iOS/Android safe area adaptation

The core application code (HTML + CSS + JS) is ~91KB, suitable for learning vanilla web development or as a lightweight AI application base.

---

## 🔗 Related Links

- **Live Demo:** [https://cmdcode.cn/ui.html](https://cmdcode.cn/ui.html)
- **Open Source Homepage:** [https://cmdcode.cn/source/](https://cmdcode.cn/source/)
- **Hong Kong Main Site:** [https://cmdcode.cn](https://cmdcode.cn)
- **Global Site:** [https://www.qqcmd.com](https://www.qqcmd.com)

---

## 🙏 Acknowledgements

- Memory system architecture inspired by [TencentDB Agent Memory](https://cloud.tencent.com/product/tacl)
- Async Worker pattern based on practices from the Hermes series of AI assistants

## 📄 License

MIT License — Free to use, modify, and distribute. Issues and Pull Requests are welcome.